CVE-2026-40894 — MEDIUM (5.3)

Q: How severe is CVE-2026-40894?

CVE-2026-40894 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-40894?

Check the references section above for vendor advisories and patch information. Affected products include: Opentelemetry Opentelemetry, Opentelemetry Opentelemetry.Api, Opentelemetry Opentelemetry.Extensions.Propagators.

Vulnerability Description

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Opentelemetry	Opentelemetry	>= 0.5.0, < 1.15.3
Opentelemetry	Opentelemetry.Api	>= 0.5.0, < 1.15.3
Opentelemetry	Opentelemetry.Extensions.Propagators	< 1.15.3

Related Weaknesses (CWE)

CWE-789

References

https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048Issue TrackingPatch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244Issue TrackingPatch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309Issue TrackingPatch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/533Issue TrackingPatch
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061Issue TrackingPatch
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-Vendor AdvisoryMitigation

FAQ

What is CVE-2026-40894?

CVE-2026-40894 is a vulnerability with a CVSS score of 5.3 (MEDIUM). OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B...

How severe is CVE-2026-40894?

CVE-2026-40894 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-40894?

Check the references section above for vendor advisories and patch information. Affected products include: Opentelemetry Opentelemetry, Opentelemetry Opentelemetry.Api, Opentelemetry Opentelemetry.Extensions.Propagators.