DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40182: CVE-2026-40182: Unbounded Memory Exhaustion Denial of Service in OpenTelemetry .NET OTLP Exporter

#security #cve #cybersecurity

CVE-2026-40182: Unbounded Memory Exhaustion Denial of Service in OpenTelemetry .NET OTLP Exporter

Vulnerability ID: CVE-2026-40182
CVSS Score: 5.3
Published: 2026-04-23

The opentelemetry-dotnet framework versions 1.13.1 through 1.15.1 contain an uncontrolled resource consumption vulnerability in the OpenTelemetry Protocol (OTLP) exporter component. When an OTLP export request fails with an HTTP 4xx or 5xx status code, the application unconditionally reads the entire error response body into memory for diagnostic logging without enforcing buffer limits. An attacker positioned on the adjacent network, or operating a compromised telemetry collector, can return an infinitely large response stream to trigger a System.OutOfMemoryException and crash the instrumented application.

TL;DR

An unbounded resource consumption flaw in OpenTelemetry .NET allows an attacker controlling the telemetry backend to crash the application by sending an exceptionally large response body during failed OTLP exports.

Technical Details

  • CWE ID: CWE-400
  • Attack Vector: Adjacent Network
  • CVSS v3.1 Score: 5.3
  • Impact: Denial of Service (Memory Exhaustion)
  • Exploit Status: No Known Public Exploit
  • CISA KEV Status: Not Listed

Affected Systems

  • opentelemetry-dotnet
  • OpenTelemetry.Exporter.OpenTelemetryProtocol
  • OpenTelemetry.Exporter.OpenTelemetryProtocol: >= 1.13.1, < 1.15.2 (Fixed in: 1.15.2)

Code Analysis

Commit: 63f220b

Enforce maximum buffer bounds for diagnostic logging during OTLP export failures.

Introduced MessageSizeLimit and replaced stream read operations with ArrayPool bounded reads.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update OpenTelemetry.Exporter.OpenTelemetryProtocol to version 1.15.2 or later.
  • Disable internal OpenTelemetry diagnostic logging in production environments.

Remediation Steps:

  1. Identify projects referencing OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.13.1 through 1.15.1.
  2. Update package references to version 1.15.2 via NuGet package manager or command line.
  3. Verify that OpenTelemetryProtocolExporterEventSource.Log.IsEnabled evaluates to false in production deployment configurations.
  4. Rebuild the application and deploy the patched or reconfigured artifacts to production environments.

References

Read the full report for CVE-2026-40182 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)