5.3
CVE-2026-40891
- EPSS 0.19%
- Veröffentlicht 23.04.2026 18:16:28
- Zuletzt bearbeitet 29.04.2026 14:15:05
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginOpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Opentelemetry ≫ Opentelemetry SwPlatform.net Version >= 1.13.1 < 1.15.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.09 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-789 Memory Allocation with Excessive Size Value
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p