{"id":"GHSA-mr8r-92fq-pj8p","summary":"OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling","details":"### Summary\n\nWhen exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided `grpc-status-details-bin` trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS).\n\n### Details\n\n#5980 introduced a retry path that parses `grpc-status-details-bin` to extract gRPC retry delay information for retryable responses.\n\nOn that path:\n\n- `OtlpGrpcExportClient` captures `grpc-status-details-bin` from retryable status responses (`ResourceExhausted` / `Unavailable`).\n- `OtlpRetry` invokes `GrpcStatusDeserializer.TryGetGrpcRetryDelay` using this untrusted trailer value.\n- `GrpcStatusDeserializer.DecodeBytes` decoded a protobuf varint length and allocated `new byte[length]` without validating the bounds against the remaining payload size.\n\nA malicious or compromised collector (or a MitM in weakly-protected deployments) could return a crafted `grpc-status-details-bin` payload that forces oversized allocation and memory exhaustion in the instrumented process.\n\n### Impact\n\nIf an OTLP/gRPC endpoint is attacker-controlled (or traffic is intercepted), a crafted retryable response can trigger large allocations during trailer parsing, which may exhaust memory and cause process instability/crash (availability impact / DoS).\n\n### Mitigation\n\nThe application's configured back-end/collector endpoint needs to behave maliciously. If the collector/back-end is a well-behaved implementation response bodies should not be excessively large if a request error occurs.\n\n### Workarounds\n\nNone known.\n\n### Remediation\n\n[#7064](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064) updates `GrpcStatusDeserializer` to validate decoded length-delimited field sizes before allocation by ensuring the requested length is sane and does not exceed the remaining payload.\n\nThis causes malformed or truncated `grpc-status-details-bin` payloads to fail safely instead of attempting unbounded allocation.","aliases":["CVE-2026-40891"],"modified":"2026-04-28T10:44:19.113248595Z","published":"2026-04-23T21:40:29Z","related":["CGA-px7w-f925-vh5p"],"database_specific":{"github_reviewed_at":"2026-04-23T21:40:29Z","nvd_published_at":"2026-04-23T18:16:28Z","github_reviewed":true,"severity":"MODERATE","cwe_ids":["CWE-789"]},"references":[{"type":"WEB","url":"https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40891"},{"type":"WEB","url":"https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980"},{"type":"WEB","url":"https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064"},{"type":"PACKAGE","url":"https://github.com/open-telemetry/opentelemetry-dotnet"}],"affected":[{"package":{"name":"OpenTelemetry.Exporter.OpenTelemetryProtocol","ecosystem":"NuGet","purl":"pkg:nuget/OpenTelemetry.Exporter.OpenTelemetryProtocol"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.13.1"},{"fixed":"1.15.3"}]}],"versions":["1.13.1","1.14.0","1.15.0","1.15.1","1.15.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mr8r-92fq-pj8p/GHSA-mr8r-92fq-pj8p.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}