CVE-2026-40182 Overview
OpenTelemetry .NET is a telemetry framework for .NET applications that enables observability through metrics, traces, and logs. A memory exhaustion vulnerability exists in versions 1.13.1 through 1.15.1 when exporting telemetry data to a backend or collector over gRPC or HTTP using the OpenTelemetry Protocol (OTLP) format. When a request results in an unsuccessful response (HTTP 4xx or 5xx), the response body is read into memory without any upper bound on the number of bytes consumed. This unbounded memory allocation can lead to memory exhaustion in the consuming application.
Critical Impact
Applications using vulnerable OpenTelemetry .NET versions may experience denial of service through memory exhaustion if an attacker controls the collector endpoint or can perform a man-in-the-middle attack on the connection.
Affected Products
- OpenTelemetry .NET versions 1.13.1 to 1.15.1
- Applications using OTLP exporter over gRPC
- Applications using OTLP exporter over HTTP
Discovery Timeline
- April 23, 2026 - CVE CVE-2026-40182 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40182
Vulnerability Analysis
The vulnerability resides in the OTLP exporter component of OpenTelemetry .NET. When telemetry data is exported to a backend collector and the collector returns an error response (HTTP status codes 4xx or 5xx), the exporter reads the entire response body into memory. The fundamental flaw is the absence of any size limit or boundary check on this memory read operation.
In a typical scenario, error responses from legitimate collectors are small, containing brief error messages. However, if an attacker controls the collector endpoint or can intercept and modify network traffic through a man-in-the-middle attack, they can return an arbitrarily large response body. The application will attempt to allocate memory for the entire response, potentially consuming all available memory and causing the application to crash or become unresponsive.
This vulnerability is classified under CWE-789 (Memory Allocation with Excessive Size Value), which describes scenarios where memory allocation occurs based on untrusted input without proper validation of the size parameter.
Root Cause
The root cause is improper handling of HTTP response bodies when processing error responses from OTLP collectors. The code responsible for reading error responses does not implement a maximum size limit, allowing unbounded memory allocation based on attacker-controlled data. This represents a failure to validate input size before memory allocation operations.
Attack Vector
The attack requires adjacent network access, meaning the attacker must either control the configured collector endpoint or be positioned to intercept network traffic between the application and its legitimate collector. The attack scenario involves:
- The vulnerable application attempts to export telemetry data to a collector endpoint
- The attacker-controlled or compromised endpoint returns an HTTP 4xx or 5xx error response
- The response body contains an extremely large payload (potentially gigabytes in size)
- The application reads the entire response into memory without bounds checking
- Memory exhaustion occurs, causing denial of service
The vulnerability mechanism can be understood as follows: when the OTLP exporter receives an error response, it attempts to read the response body to extract error details. Without a size limit on this operation, the memory allocated grows proportionally to the attacker-controlled response size. For detailed technical implementation, refer to the GitHub Security Advisory GHSA-q834-8qmm-v933.
Detection Methods for CVE-2026-40182
Indicators of Compromise
- Sudden spikes in memory consumption by applications using OpenTelemetry .NET
- Out-of-memory exceptions in application logs related to telemetry export operations
- Unusual network traffic patterns between applications and telemetry collector endpoints
- Application crashes or unresponsiveness following failed telemetry export attempts
Detection Strategies
- Monitor application memory usage for abnormal growth patterns during telemetry export operations
- Implement network traffic analysis to detect unusually large HTTP responses from collector endpoints
- Review application logs for repeated HTTP 4xx or 5xx responses from OTLP collectors
- Audit configured collector endpoints to ensure they are trusted and not potentially attacker-controlled
Monitoring Recommendations
- Configure memory usage alerts for applications utilizing OpenTelemetry .NET exporters
- Implement network monitoring between applications and collector endpoints for anomalous traffic
- Enable detailed logging for OTLP export operations to capture error response patterns
- Regularly review and validate the integrity of collector endpoint configurations
How to Mitigate CVE-2026-40182
Immediate Actions Required
- Upgrade OpenTelemetry .NET to version 1.15.2 or later immediately
- Audit all applications using OpenTelemetry .NET to identify vulnerable versions
- Verify that collector endpoints are legitimate and properly secured
- Implement network security controls to prevent man-in-the-middle attacks on telemetry traffic
Patch Information
The vulnerability is fixed in OpenTelemetry .NET version 1.15.2. The fix implements a maximum size limit on response body reads when processing error responses from OTLP collectors. Organizations should upgrade to this version or later to remediate the vulnerability. Additional technical details about the fix can be found in GitHub Pull Request #7017 and GitHub Pull Request #6564.
Workarounds
- Ensure collector endpoints are only configured to trusted, organization-controlled infrastructure
- Implement TLS/mTLS for all connections to collector endpoints to prevent man-in-the-middle attacks
- Deploy network segmentation to limit exposure of telemetry traffic to adjacent network attackers
- Consider implementing application-level memory limits as a defense-in-depth measure
# Upgrade OpenTelemetry .NET packages to patched version
dotnet add package OpenTelemetry --version 1.15.2
dotnet add package OpenTelemetry.Exporter.OpenTelemetryProtocol --version 1.15.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
