CVE-2026-40894

Sažetak

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

Reference

https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309
https://github.com/open-telemetry/opentelemetry-dotnet/pull/533
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j

CVSS

Base:	5.3
Impact:	1.4
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Zadnje važnije ažuriranje

24-04-2026 - 14:50

Objavljeno

23-04-2026 - 19:17