CVE-2026-40894

Source
https://cve.org/CVERecord?id=CVE-2026-40894
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40894.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40894
Aliases
Downstream
Related
Published
2026-04-23T18:03:28.211Z
Modified
2026-07-15T01:48:58.232139215Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Details

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-789"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40894.json"
}
References

Affected packages

Git / github.com/open-telemetry/opentelemetry-dotnet

Affected ranges

Type
GIT
Repo
https://github.com/open-telemetry/opentelemetry-dotnet
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": [
        "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*",
        "cpe:2.3:a:opentelemetry:opentelemetry.api:*:*:*:*:*:.net:*:*",
        "cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:*:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0.5.0"
        },
        {
            "fixed": "1.15.3"
        },
        {
            "introduced": "0"
        }
    ]
}

Affected versions

0.*
0.2.0-alpha
0.3.0-beta
0.4.0-beta
0.5.0-beta
0.6.0-beta
0.7.0-beta
0.8.0-beta
1.*
1.0.0-rc1
1.0.0-rc10
1.0.0-rc2
1.0.0-rc3
1.0.0-rc4
1.0.0-rc5
1.0.0-rc6
1.0.0-rc7
1.0.0-rc8
1.0.0-rc9
1.0.0-rc9.1
1.0.0-rc9.10
1.0.0-rc9.11
1.0.0-rc9.12
1.0.0-rc9.13
1.0.0-rc9.14
1.0.0-rc9.2
1.0.0-rc9.3
1.0.0-rc9.4
1.0.0-rc9.5
1.0.0-rc9.6
1.0.0-rc9.7
1.0.0-rc9.8
1.0.0-rc9.9
1.5.0-beta.1
1.5.1-beta.1
1.6.0-beta.1
1.6.0-beta.2
1.6.0-beta.3
1.6.0-rc.1
1.7.0-beta.1
Instrumentation.*
Instrumentation.AspNetCore-1.6.0
Instrumentation.AspNetCore-1.7.0
Instrumentation.AspNetCore-1.7.1
Instrumentation.AspNetCore-1.8.0
Instrumentation.AspNetCore-1.8.1
Instrumentation.GrpcNetClient-1.7.0-beta.1
Instrumentation.GrpcNetClient-1.8.0-beta.1
Instrumentation.Http-1.6.0
Instrumentation.Http-1.7.0
Instrumentation.Http-1.7.1
Instrumentation.Http-1.8.0
Instrumentation.Http-1.8.1
Instrumentation.SqlClient-1.7.0-beta.1
Instrumentation.SqlClient-1.8.0-beta.1
core-1.*
core-1.0.0-rc3
core-1.0.0-rc4
core-1.0.1
core-1.1.0
core-1.1.0-beta1
core-1.1.0-beta2
core-1.1.0-beta3
core-1.1.0-beta4
core-1.1.0-rc1
core-1.10.0
core-1.10.0-beta.1
core-1.10.0-rc.1
core-1.11.0
core-1.11.0-rc.1
core-1.11.1
core-1.11.2
core-1.12.0
core-1.13.0
core-1.13.1
core-1.14.0
core-1.14.0-rc.1
core-1.15.0
core-1.15.1
core-1.15.2
core-1.2.0
core-1.2.0-alpha1
core-1.2.0-alpha2
core-1.2.0-alpha3
core-1.2.0-alpha4
core-1.2.0-beta1
core-1.2.0-beta2
core-1.2.0-rc1
core-1.2.0-rc2
core-1.2.0-rc3
core-1.2.0-rc4
core-1.2.0-rc5
core-1.3.0
core-1.3.0-beta.1
core-1.3.0-beta.2
core-1.3.0-rc.2
core-1.4.0
core-1.4.0-alpha.1
core-1.4.0-alpha.2
core-1.4.0-beta.1
core-1.4.0-beta.2
core-1.4.0-beta.3
core-1.4.0-rc.1
core-1.4.0-rc.2
core-1.4.0-rc.3
core-1.4.0-rc.4
core-1.5.0
core-1.5.0-alpha.1
core-1.5.0-rc.1
core-1.6.0
core-1.6.0-alpha.1
core-1.6.0-rc.1
core-1.7.0
core-1.7.0-alpha.1
core-1.7.0-rc.1
core-1.8.0
core-1.8.0-beta.1
core-1.8.0-rc.1
core-1.9.0
core-1.9.0-alpha.1
core-1.9.0-rc.1
coreunstable-1.*
coreunstable-1.10.0-beta.1
coreunstable-1.11.0-beta.1
coreunstable-1.11.2-beta.1
coreunstable-1.12.0-beta.1
coreunstable-1.13.0-beta.1
coreunstable-1.13.1-beta.1
coreunstable-1.14.0-beta.1
coreunstable-1.15.0-beta.1
coreunstable-1.15.1-beta.1
coreunstable-1.15.2-beta.1
coreunstable-1.9.0-alpha.1
coreunstable-1.9.0-alpha.2
coreunstable-1.9.0-beta.1
coreunstable-1.9.0-beta.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40894.json"