CVE-2026-40894

5.3 MEDIUM
Published: April 23, 2026 Modified: April 28, 2026
View on NVD

Description

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/533
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j
Source: security-advisories@github.com
Vendor Advisory Mitigation

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.3 / 10.0
EPSS (Exploit Probability)
0.0%
7th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-789

Affected Vendors

opentelemetry

Related CVEs

CVE-2026-7779 4.3
CVE-2026-42238 N/A
CVE-2026-42223 6.5
CVE-2026-42222 8.1
CVE-2026-42221 8.1