VDB

CVE-2026-40894

CVE-2026-40894 PUBLISHED CVSS 5.300000190734863 MEDIUM

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

EPSS 0.03% · 8.5th percentile

Risk Scores

CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score
0.03%
8.5th percentile

Affected Products

VendorProductVersions
open-telemetryopentelemetry-dotnet>= 0.5.0-beta.2, < 1.15.3
NuGetOpenTelemetry.Api0.5.0-beta.2
open-telemetryOpenTelemetry.Extensions.Propagators>= 1.3.1, < 1.15.3
open-telemetryOpenTelemetry.Api>= 0.5.0-beta.2, < 1.15.3
NuGetOpenTelemetry.Extensions.Propagators1.3.1

Timeline

  • Apr 23, 2026 CVE Published
  • Apr 24, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score
  • May 27, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›