CVE-2026-40894: CVE-2026-40894: Excessive Memory Allocation in OpenTelemetry .NET Propagation Headers

CVE-2026-40894: Excessive Memory Allocation in OpenTelemetry .NET Propagation Headers

Vulnerability ID: CVE-2026-40894
CVSS Score: 5.3
Published: 2026-04-23

The OpenTelemetry .NET SDK contains a denial of service vulnerability due to excessive memory allocation during the parsing of propagation headers. Vulnerable versions utilize eager allocation strategies, specifically string.Split(), to process Baggage, B3, and Jaeger headers. Unauthenticated remote attackers can exploit this by submitting crafted headers containing dense sequences of delimiters, forcing the application to allocate thousands of objects per request. This results in severe garbage collection pressure and potential OutOfMemoryException conditions. The vulnerability is fixed in version 1.15.3.

TL;DR

OpenTelemetry .NET SDK versions up to 1.15.2 are vulnerable to a Denial of Service (DoS) attack via unauthenticated memory exhaustion (CWE-789). Maliciously crafted propagation headers force eager memory allocations, causing high garbage collection pressure. Patch to version 1.15.3 to resolve the issue.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-789
• Attack Vector: Network
• CVSS v3.1: 5.3
• EPSS: N/A
• Impact: Denial of Service (DoS)
• Exploit Status: Proof of Concept
• KEV Status: Not Listed

Affected Systems

• OpenTelemetry .NET SDK
• ASP.NET Core applications utilizing OpenTelemetry instrumentation
• Microservices relying on baggage and b3 propagation
• OpenTelemetry.Api: >= 0.5.0-beta.2, <= 1.15.2 (Fixed in: 1.15.3)
• OpenTelemetry.Extensions.Propagators: >= 1.3.1, <= 1.15.2 (Fixed in: 1.15.3)

Mitigation Strategies

• Update OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators packages to version 1.15.3 or later.
• Implement WAF rules to drop requests with tracing headers exceeding 1024 characters.
• Enforce maximum HTTP header size limits in reverse proxies or API gateways.
• Monitor .NET memory metrics for abnormal garbage collection (Gen 2) pauses and string allocation spikes.

Remediation Steps:

1. Audit project files (.csproj) for references to vulnerable OpenTelemetry packages.
2. Update explicit package references to version 1.15.3.
3. Use 'dotnet list package --include-transitive' to identify vulnerable packages included via indirect dependencies.
4. Redeploy the updated application to all environments.
5. Verify that distributed tracing continues to function correctly, ensuring the 180-item limit does not impact legitimate application behavior.

References

• GHSA-g94r-2vxg-569j
• PR 7061: Add propagation fuzz tests and fix findings
• PR 7064: OTLP Status Fix
• PR 7069: Resource Leak Fix
• CVE-2026-40894 Record

---

Read the full report for CVE-2026-40894 on our website for more details including interactive diagrams and full exploit analysis.