The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40891

CVE-2026-40891: OpenTelemetry dotnet DoS Vulnerability

CVE-2026-40891 is a denial of service flaw in OpenTelemetry dotnet that allows excessive memory allocation through malformed gRPC trailers. This post covers technical details, affected versions, and mitigation steps.

Published: April 23, 2026

CVE-2026-40891 Overview

OpenTelemetry .NET is a popular telemetry framework used for collecting and exporting observability data from .NET applications. A denial of service vulnerability exists in versions 1.13.1 to before 1.15.2 of the OpenTelemetry .NET SDK. When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter parses a server-provided grpc-status-details-bin trailer during retry handling. A malformed trailer could encode an extremely large length-delimited protobuf field, which was used directly for memory allocation without proper validation, allowing excessive memory allocation and potential denial of service (DoS).

Critical Impact

Attackers positioned on an adjacent network can exploit this vulnerability to cause memory exhaustion in applications using OpenTelemetry .NET OTLP gRPC exporters, leading to service unavailability and potential cascading failures in observability pipelines.

Affected Products

  • OpenTelemetry .NET SDK versions 1.13.1 to 1.15.1
  • Applications using OTLP gRPC exporter for telemetry export
  • .NET services configured with OpenTelemetry instrumentation and gRPC transport

Discovery Timeline

  • 2026-04-23 - CVE CVE-2026-40891 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2026-40891

Vulnerability Analysis

This vulnerability falls under CWE-789 (Memory Allocation with Excessive Size Value), a memory exhaustion condition that occurs when software allocates memory based on untrusted input without proper bounds checking. In the context of OpenTelemetry .NET, the flaw resides in the OTLP gRPC exporter's retry handling mechanism.

When the OTLP exporter encounters transport errors and attempts retries, it parses the grpc-status-details-bin trailer returned by the server to extract detailed status information. The protobuf parsing logic for this trailer did not properly validate length-delimited field sizes before allocating memory buffers. A malicious or compromised telemetry backend could craft a response containing an encoded length prefix specifying an extremely large allocation size, potentially gigabytes of memory, which the client would attempt to allocate.

The attack requires adjacent network access, meaning the attacker must be able to intercept or act as the telemetry backend receiving gRPC connections. While this raises the attack complexity, environments with compromised internal networks or man-in-the-middle positions are vulnerable. The impact is limited to availability; no data confidentiality or integrity compromise is possible through this vector.

Root Cause

The root cause is insufficient input validation in the protobuf parsing logic for the grpc-status-details-bin gRPC trailer. The length-delimited field's encoded size was trusted without verification against reasonable maximum bounds, leading to uncontrolled memory allocation. This is a classic instance of trusting untrusted data for resource allocation decisions. The fix introduces proper validation of length prefixes before memory allocation, rejecting malformed or excessively large values.

Attack Vector

The attack requires an adversary to position themselves as the telemetry collection endpoint or to intercept gRPC communications on the adjacent network. When the victim's application sends telemetry data via OTLP gRPC and receives a crafted response with a malformed grpc-status-details-bin trailer during a retry scenario, the exporter's parsing logic attempts to allocate memory based on the attacker-controlled length value.

The vulnerability manifests during retry handling in the OTLP gRPC exporter. When a server returns an error response with the malicious trailer, the client attempts to parse the protobuf-encoded status details. The length prefix in the protobuf wire format specifies how many bytes to read for the next field, and this value was used directly for buffer allocation without bounds checking. See the GitHub Security Advisory GHSA-mr8r-92fq-pj8p for complete technical details.

Detection Methods for CVE-2026-40891

Indicators of Compromise

  • Sudden memory spikes in applications using OpenTelemetry .NET with OTLP gRPC export
  • Out-of-memory exceptions or application crashes during telemetry export operations
  • Abnormal gRPC response patterns from telemetry backends containing oversized trailers
  • Application pool recycling or container restarts due to memory pressure

Detection Strategies

  • Monitor process memory utilization for .NET applications with OpenTelemetry instrumentation
  • Implement alerting on OutOfMemoryException occurrences in application logs
  • Review gRPC traffic for anomalous grpc-status-details-bin trailer sizes
  • Audit OpenTelemetry .NET package versions across the software inventory

Monitoring Recommendations

  • Deploy APM monitoring to track memory allocation patterns in affected applications
  • Configure resource limits (memory) for containers running vulnerable workloads
  • Enable detailed logging for OTLP exporter retry operations
  • Monitor network traffic between applications and telemetry collection endpoints for anomalies

How to Mitigate CVE-2026-40891

Immediate Actions Required

  • Upgrade OpenTelemetry .NET SDK to version 1.15.2 or later immediately
  • Review all .NET applications using OpenTelemetry with OTLP gRPC transport
  • Audit NuGet package dependencies for affected OpenTelemetry versions
  • Consider temporarily switching to HTTP/protobuf transport if immediate upgrade is not possible

Patch Information

The vulnerability is fixed in OpenTelemetry .NET version 1.15.2. The fix introduces proper validation of length-delimited field sizes before memory allocation in the OTLP gRPC exporter's retry handling logic. Organizations should update their NuGet package references to the patched version. Refer to GitHub Pull Request #7064 and GitHub Pull Request #5980 for implementation details of the security fix.

Workarounds

  • Configure memory limits on application containers to prevent system-wide impact from memory exhaustion
  • Use network segmentation to restrict which endpoints can act as telemetry backends
  • If upgrading is not immediately possible, consider switching to OTLP HTTP/protobuf export instead of gRPC
  • Implement network-level monitoring between applications and telemetry collectors
bash
# Update OpenTelemetry .NET packages to patched version
dotnet add package OpenTelemetry.Exporter.OpenTelemetryProtocol --version 1.15.2

# Verify installed package version
dotnet list package | grep OpenTelemetry

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechOpentelemetry
  • SeverityMEDIUM
  • CVSS Score5.3
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-789
  • Technical References
  • GitHub Pull Request #5980
  • GitHub Pull Request #7064
  • GitHub Security Advisory GHSA-mr8r-92fq-pj8p
  • Related CVEs
  • CVE-2026-41484: OpenTelemetry OneCollector DOS Vulnerability
  • CVE-2026-41483: OpenTelemetry Azure Resources DOS Attack
  • CVE-2026-41310: OpenTelemetry Zipkin Exporter DOS Vulnerability
  • CVE-2026-41078: OpenTelemetry Jaeger Exporter DoS Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English