CVE-2026-40891: CVE-2026-40891: Denial of Service via Unbounded Memory Allocation in OpenTelemetry .NET gRPC Trailer Parsing

CVE-2026-40891: Denial of Service via Unbounded Memory Allocation in OpenTelemetry .NET gRPC Trailer Parsing

Vulnerability ID: CVE-2026-40891
CVSS Score: 5.3
Published: 2026-04-23

The OpenTelemetry .NET SDK is vulnerable to a Denial of Service (DoS) flaw due to unbounded memory allocation during the deserialization of gRPC status details. An attacker controlling the telemetry endpoint or performing a Man-in-the-Middle attack can crash the instrumented application by supplying a crafted Protobuf payload.

TL;DR

A memory allocation vulnerability in the OpenTelemetry .NET SDK allows a malicious gRPC endpoint to crash the client application via a crafted grpc-status-details-bin trailer.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-789
• Attack Vector: Adjacent Network
• CVSS v3.1 Score: 5.3
• Exploit Status: Proof of Concept
• Impact: Denial of Service (DoS)
• KEV Status: Not Listed

Affected Systems

• .NET applications utilizing OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.13.1 through 1.15.1
• OpenTelemetry.Exporter.OpenTelemetryProtocol: 1.13.1 - < 1.15.2 (Fixed in: 1.15.2)

Mitigation Strategies

• Dependency Upgrade
• Network Transport Security
• Configuration Hardening

Remediation Steps:

1. Audit .NET project files (.csproj) for references to OpenTelemetry.Exporter.OpenTelemetryProtocol.
2. Upgrade the OpenTelemetry.Exporter.OpenTelemetryProtocol package to version 1.15.2 or newer.
3. Verify that the gRPC connection string enforces the use of HTTPS/TLS for the OTLP exporter.
4. Configure MaxResponseHeadersSize limits on the underlying gRPC channel.

References

• GitHub Security Advisory GHSA-mr8r-92fq-pj8p
• NVD Vulnerability Detail for CVE-2026-40891
• Introduction Pull Request (#5980)

---

Read the full report for CVE-2026-40891 on our website for more details including interactive diagrams and full exploit analysis.