Primary

Context

OpenTelemetry .NET gRPC Exporter Denial-of-Service Vulnerability via Malformed Status Trailer

Vulnerability

A denial-of-service vulnerability has been identified in the OpenTelemetry .NET exporter when exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP). This issue affects versions 1.13.1 prior to 1.15.2. The vulnerability arises during the retry handling of server-provided 'grpc-status-details-bin' trailers. A malformed trailer could encode an excessively large length-delimited protobuf field, which was directly used for memory allocation. This allowed for excessive memory usage, potentially leading to process instability or a crash.

Impact

Exploitation of this vulnerability can cause excessive memory allocation, leading to memory exhaustion and process instability or crash, causing a denial-of-service condition.

Remediation

Users can upgrade to OpenTelemetry .NET version 1.15.2 or later, where this vulnerability has been fixed.

Added: Apr 23, 2026, 7:19 PM

Updated: Apr 23, 2026, 7:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.3

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.3

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenTelemetry .NET gRPC Exporter Denial-of-Service Vulnerability via Malformed Status Trailer

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating