CVE-2026-40894 Overview
A denial of service vulnerability has been identified in the OpenTelemetry .NET telemetry framework. The vulnerability exists in the baggage, B3, and Jaeger processing code within the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages. When parsing maliciously crafted input, these components can allocate excessive memory, potentially leading to resource exhaustion and denial of service in applications consuming these packages.
Critical Impact
Applications using affected OpenTelemetry .NET packages may experience memory exhaustion and service disruption when processing specially crafted telemetry data, impacting availability of critical monitoring and observability infrastructure.
Affected Products
- OpenTelemetry.Api versions 0.5.0-beta.2 to 1.15.2
- OpenTelemetry.Extensions.Propagators versions 1.3.1 to 1.15.2
Discovery Timeline
- April 23, 2026 - CVE-2026-40894 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40894
Vulnerability Analysis
This vulnerability is classified under CWE-789 (Memory Allocation with Excessive Size Value). The flaw resides in the parsing logic for distributed tracing context propagation formats, specifically affecting the baggage, B3, and Jaeger propagators implemented in the OpenTelemetry .NET SDK.
The OpenTelemetry framework is widely used for collecting telemetry data (metrics, logs, and traces) from distributed applications. The vulnerable components handle incoming HTTP headers that carry distributed tracing context between services. When these propagators encounter specially crafted header values, the parsing routines may allocate disproportionately large amounts of memory relative to the input size.
This memory allocation issue can be triggered remotely through network requests containing malicious header values, without requiring any authentication or user interaction. The impact is limited to availability, as the vulnerability does not allow for information disclosure or integrity violations.
Root Cause
The root cause is improper validation of input sizes before memory allocation in the context propagation parsing code. When processing baggage, B3, or Jaeger headers, the affected code paths do not adequately limit memory allocation based on input parameters, allowing an attacker to trigger excessive memory consumption through carefully constructed input values.
Attack Vector
The attack vector is network-based, requiring an attacker to send HTTP requests with malicious headers to an application using the vulnerable OpenTelemetry packages. The attack does not require authentication or privileges, and no user interaction is needed. An attacker can exploit this by:
- Identifying an application endpoint that processes distributed tracing headers
- Crafting HTTP requests with maliciously formed baggage, B3, or Jaeger context headers
- Sending repeated requests to exhaust server memory resources
- Causing service degradation or complete denial of service
For detailed technical information on the vulnerability mechanism, refer to the GitHub Security Advisory GHSA-g94r-2vxg-569j.
Detection Methods for CVE-2026-40894
Indicators of Compromise
- Unusual memory consumption spikes in applications using OpenTelemetry .NET packages
- Increased garbage collection activity without corresponding increase in legitimate traffic
- Out-of-memory exceptions or application crashes in services processing distributed tracing headers
- HTTP requests containing abnormally large or malformed baggage, b3, X-B3-*, or uber-trace-id headers
Detection Strategies
- Monitor application memory usage patterns and set alerts for abnormal memory allocation rates
- Implement request header size validation at the load balancer or API gateway level
- Deploy SentinelOne agents to detect and alert on resource exhaustion patterns indicative of DoS attacks
- Review application logs for parsing errors related to distributed tracing context headers
Monitoring Recommendations
- Configure memory utilization alerts with appropriate thresholds for applications using OpenTelemetry
- Implement rate limiting on endpoints that process distributed tracing headers
- Monitor for repeated requests from single sources with large or malformed tracing headers
- Enable SentinelOne's real-time monitoring capabilities to detect resource exhaustion attacks
How to Mitigate CVE-2026-40894
Immediate Actions Required
- Upgrade OpenTelemetry.Api to version 1.15.3 or later immediately
- Upgrade OpenTelemetry.Extensions.Propagators to version 1.15.3 or later immediately
- Review and audit all applications using the affected NuGet packages
- Implement header size limits at the ingress layer as a defense-in-depth measure
Patch Information
The vulnerability is fixed in OpenTelemetry .NET version 1.15.3. The fix addresses the memory allocation issues in the baggage, B3, and Jaeger propagator implementations. Organizations should update their NuGet package references to use the patched versions.
Related pull requests documenting the fix include:
Workarounds
- Implement request header size limits at the reverse proxy or load balancer level to reject requests with excessively large tracing headers
- Configure web application firewall (WAF) rules to filter malformed distributed tracing headers
- Temporarily disable unused propagators (B3, Jaeger, or baggage) if your application does not require them
- Implement application-level memory limits and circuit breakers to prevent complete service failure
# Update OpenTelemetry packages to patched versions
dotnet add package OpenTelemetry.Api --version 1.15.3
dotnet add package OpenTelemetry.Extensions.Propagators --version 1.15.3
# Verify installed versions
dotnet list package --include-transitive | grep -i opentelemetry
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
