Listen to this Post
The vulnerability (CVE-2026-40182) resides in the OpenTelemetry dotnet SDK’s OTLP HTTP exporter (OpenTelemetry.Exporter.OpenTelemetryProtocol). When the exporter sends telemetry data to a configured collector endpoint and receives a non-200 HTTP status code (4xx or 5xx), the `HttpJsonPostTransport` class reads the entire response body into memory without any upper bound on the number of bytes consumed. This behavior was intended to help operators debug error responses by including the full response in the logs. An attacker who controls the collector endpoint, or who can perform a Man-in-the-Middle (MitM) attack on the connection, can send back an arbitrarily large HTTP response body when a request fails. On the SDK side, the unbounded read from the response stream triggers excessive heap allocation, leading to high transient memory pressure, garbage-collection stalls, and potentially an `OutOfMemoryException` that terminates the entire consuming process. The vulnerability affects all versions of OpenTelemetry dotnet from 1.13.1 up to, but not including, 1.15.2. It requires the attacker to have the ability to influence the response body of a failing HTTP request, either by owning the collector endpoint or by intercepting the network traffic. The fix, implemented in pull request 4117, limits the number of bytes read from the response body in an error condition to a safe maximum of 4 MiB, preventing unbounded memory allocation.
dailycve form: Platform: .NET Version: 1.13.1-1.15.1 Vulnerability : Memory Exhaustion Severity: Medium date: 2026-04-23 Prediction: 2026-04-30
What Undercode Say:
Analytics of CVE-2026-40182 can be performed using bash commands to check the OpenTelemetry dotnet version in a project, simulate a malicious collector endpoint with an oversized response, and monitor memory consumption.
Check current OpenTelemetry dotnet version in a .NET project
grep -E '<PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="' ./.csproj
Use netcat to create a mock collector that returns a 500 error with a 10MB body
dd if=/dev/zero bs=1M count=10 | { echo -e "HTTP/1.1 500 Internal Server Error\r\nContent-Length: 10485760\r\n\r\n"; cat; } | nc -l 8080
Monitor memory usage of the .NET process while it sends telemetry to the fake collector
while true; do ps -o vsz,rss,comm -p $(pgrep -f "dotnet.YourApp.dll"); sleep 1; done
Exploit:
To exploit CVE-2026-40182, an attacker must control the collector endpoint or perform a MitM attack on the HTTP connection. The attacker configures the collector to respond to any telemetry export request (which is typically a POST with telemetry data) with an HTTP error status code (e.g., 400, 500) and includes an extremely large response body, such as 50 MB of arbitrary data or a slow, never-ending stream. The vulnerable SDK will read this entire response into memory, consuming all available heap space, causing the application to become unresponsive or crash with an OutOfMemoryException. The attack requires no authentication and can be executed repeatedly to maintain a denial-of-service condition.
Protection from this CVE
1. Upgrade OpenTelemetry dotnet to version 1.15.2 or later, which introduces a 4 MiB read limit for error response bodies.
2. Implement network-level controls such as firewalls, mTLS, or service meshes to prevent MitM attacks on the collector endpoint.
3. Use trusted collector endpoints and avoid sending telemetry to untrusted or public networks. Monitor telemetry endpoints for unusual response patterns and log the size of error responses to detect potential attacks.
Impact
Successful exploitation leads to uncontrolled memory consumption in the client application, resulting in high memory usage, extended garbage collection pauses, and eventual process termination due to OutOfMemoryException. This creates a denial-of-service condition that can disrupt the entire application’s functionality. There is no data leakage or privilege escalation; the impact is limited to availability. The attack requires the collector endpoint to be on an adjacent network, and the CVSS score is estimated as Medium (5.3).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
