CVE-2026-40182
⚪ Do wiadomości
Przepełnienie pamięci w OpenTelemetry dotnet umożliwia atakującemu wyczerpanie zasobów aplikacji.
CVSS
5.3
EPSS
0.1%
Exploit
none
Vendor
opentelemetry
Opis źródłowy (NVD)
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 5.3 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-04-23 18:16:28 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-29 13:52:26 UTC |
Referencje
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564 (security-advisories@github.com) [Issue Tracking, Patch]
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017 (security-advisories@github.com) [Issue Tracking, Patch]
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933 (security-advisories@github.com) [Vendor Advisory]
- https://github.com/open-telemetry/opentelemetry-proto/pull/781 (security-advisories@github.com) [Issue Tracking]