{"data":{"id":"fa72cf7f-dc4a-4141-93cd-73eca8c08881","title":"GHSA-g94r-2vxg-569j: OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers","summary":"OpenTelemetry .NET packages have a vulnerability where parsing propagation headers (headers that track request flow across services) can allocate excessive memory, potentially causing a denial of service (DoS, where a system becomes unavailable due to resource exhaustion). The issue occurs in baggage, B3, and Jaeger processing code that allocates temporary storage before checking size limits.","solution":"Pull request #7061 refactors the handling of baggage, B3 and Jaeger propagation headers to stop parsing eagerly when limits are exceeded and avoid allocating intermediate arrays. Additionally, the source mentions workarounds: configure appropriate HTTP request header limits in your web server, or disable baggage and/or trace propagation if not needed.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-g94r-2vxg-569j","publishedAt":"2026-04-23T21:43:53.000Z","cveId":"CVE-2026-40894","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["OpenTelemetry.Extensions.Propagators@>= 1.3.1, < 1.15.3 (fixed: 1.15.3)","OpenTelemetry.Api@>= 0.5.0-beta.2, < 1.15.3 (fixed: 1.15.3)"],"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-23T21:43:53.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.7,"researchCategory":null,"atlasIds":null}}