Memory Exhaustion Risk in OpenTelemetry .NET Framework by OpenTelemetry
CVE-2026-40182

5.3MEDIUM

Key Information:

Vendor

Open-telemetry

Status
Opentelemetry-dotnet
Vendor
CVE Published:
23 April 2026

What is CVE-2026-40182?

The OpenTelemetry .NET telemetry framework is susceptible to a memory exhaustion vulnerability when exporting telemetry data to a back-end or collector over gRPC or HTTP, specifically in versions 1.13.1 to 1.15.1. If a request to the back-end endpoint results in an unsuccessful response (HTTP 4xx or 5xx), the application may read the response into memory without restrictions on the amount of data, potentially leading to excessive memory consumption. This issue is particularly concerning when the back-end endpoint is under the control of an attacker or when a MitM (Man-in-the-Middle) attacks the connection, allowing for the possibility of an enormous response body being sent. The vulnerability is mitigated in version 1.15.2.

Affected Version(s)

opentelemetry-dotnet >= 1.13.1, < 1.15.2

References

https://github.com/open-telemetry/opentelemetry-dotnet/se...
x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-dotnet/pu...
x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-dotnet/pu...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.