CVE-2026-40891

Name of the Vulnerable Software and Affected Versions OpenTelemetry dotnet versions 1.13.1 through 1.15.1

Description When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. A malformed trailer can encode an extremely large length-delimited protobuf field (a method of serializing structured data) which is used directly for allocation. This occurs because the DecodeBytes() function in GrpcStatusDeserializer decodes a protobuf varint length and allocates a byte array without validating the bounds against the remaining payload size. A malicious or compromised collector, or a man-in-the-middle attacker, could return a crafted payload to force oversized memory allocation, leading to memory exhaustion and a potential denial of service (DoS) causing process instability or crashes.

Recommendations Update to version 1.15.2.