OpenTelemetry NET OTLP Exporter, Unbounded Memory Allocation, CVE-2026-40182 (Medium)

Listen to this Post

When an OTLP exporter (gRPC/HTTP) receives a 4xx or 5xx error response, the original exporter read the entire response body into memory without enforcing any size limits. The vulnerability stems from a debugging feature added in pull request open-telemetry/opentelemetry-dotnet6564, which aimed to log the full error body to aid operators. An attacker controlling the collector endpoint (or performing a MitM attack) can exploit this by returning an arbitrarily large error response, causing the application to allocate an unbounded amount of heap memory. This leads to memory exhaustion, garbage-collection stalls, and ultimately an OutOfMemoryException, crashing the consuming process. The issue affects OTLP exporters for traces, metrics, and logs. The fix, implemented in pull request open-telemetry/opentelemetry-dotnet7017, caps the read limit at 4 MiB and only attempts to read the body if OpenTelemetry error logging is enabled.
Platform: .NET
Version: 1.13.1 to 1.15.2
Vulnerability: Memory exhaustion
Severity: Medium
date: 2026-04-23

Prediction: Patch already shipped

What Undercode Say:

Check your OpenTelemetry .NET package version
dotnet list package --include-transitive | grep OpenTelemetry.Exporter.OpenTelemetryProtocol
If vulnerable (1.13.1 <= version < 1.15.2), update immediately
dotnet add package OpenTelemetry.Exporter.OpenTelemetryProtocol --version 1.15.2

How Exploit:

An attacker controlling the collector endpoint returns a huge HTTP 500 error response:

Malicious collector sending a 1 GB error response
curl -X POST https://malicious-collector/v1/traces -d '...' \
-H "Content-Type: application/x-protobuf" \
--write-out 'HTTP %{http_code}\n' \
--output /dev/null

Protection:

1. Update to OpenTelemetry .NET ≥ 1.15.2

2. Ensure collector endpoints are trusted

3. Use mTLS to prevent MitM attacks

4. Monitor memory usage with `dotnet counters`

Impact:

Denial of service via memory exhaustion, potentially crashing the entire application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top