GHSA-mr8r-92fq-pj8p: OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling
Summary
OpenTelemetry's dotnet implementation has a vulnerability in how it handles gRPC responses during retries. When the server sends a `grpc-status-details-bin` trailer (extra data sent with a response), the code reads a length value from it without checking if that length is reasonable, potentially allowing an attacker to force the application to allocate massive amounts of memory and crash it (a denial of service attack, or DoS). A malicious collector or someone intercepting network traffic could exploit this.
Solution / Mitigation
Pull request #7064 updates `GrpcStatusDeserializer` to validate decoded length-delimited field sizes before allocation by ensuring the requested length is sane and does not exceed the remaining payload. This causes malformed or truncated `grpc-status-details-bin` payloads to fail safely instead of attempting unbounded allocation.
Vulnerability Details
EPSS: 0.0%
Yes
April 23, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-mr8r-92fq-pj8p
First tracked: April 23, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%