OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers

Summary The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service DoS in the consuming application. Details...

GHSA-G94R-2VXG-569J OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers

Summary The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service DoS in the consuming application. Details...

Memory Allocation with Excessive Size Value

Overview OpenTelemetry.Api is a package that application developers and library authors use to instrument their application/library. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and...

OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling

Summary When exporting telemetry over gRPC using the OpenTelemetry Protocol OTLP, the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used...

CVE-2026-40894

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators...

CVE-2026-41173

The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsyn...

CVE-2026-40894 OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators...

CVE-2026-40894

OpenTelemetry dotnet vulnerable versions: OpenTelemetry.Api 0.5.0-beta.2–1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1–1.15.2 contain code paths for baggage, B3 and Jaeger processing that can allocate excessive memory when parsing propagation headers, potentially leading to a DoS. The iss...

CVE-2026-40891 OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol OTLP, the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could...

CVE-2026-40891

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol OTLP, the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could...

erofs: add GFP_NOIO in the bio completion if needed

...

CVE-2026-41197

Noir is a Domain Specific Language for SNARK proving systems that is designed to use any ACIR compatible proving system, and Brillig is the bytecode ACIR uses for non-determinism. Noir programs can invoke external functions through foreign calls. When compiling to Brillig bytecode, the SSA...

SUSE CVE-2026-31445

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: avoid use of half-online-committed context One major usage of damoncall is online DAMON parameters update. It is done by calling damoncommitctx inside the damoncall callback function. damoncommitctx can fail for tw...

SUSE CVE-2026-31467

In the Linux kernel, the following vulnerability has been resolved: erofs: add GFPNOIO in the bio completion if needed The bio completion path in the process context e.g. dm-verity will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencies...

SUSE CVE-2026-33260

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

Noir 安全漏洞

Noir is an open-source domain-specific language developed by noir-lang, used for SNARK proofs. Versions of Noir prior to 1.0.0-beta.19 contained a security vulnerability, caused by a nested array memory allocation error, which could lead to damage to the Brillig VM heap...

PT-2026-34721

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Sampler.AWS versions prior to 0.1.0-alpha.8 OpenTelemetry.Resources.AWS versions prior to 1.15.1 Description OpenTelemetry.Sampler.AWS and OpenTelemetry.Resources.AWS read unbounded HTTP response bodies from configured endpoints...

PT-2026-34708

Name of the Vulnerable Software and Affected Versions OpenTelemetry dotnet versions 1.13.1 through 1.15.1 Description When exporting telemetry over gRPC using the OpenTelemetry Protocol OTLP, the exporter may parse a server-provided 'grpc-status-details-bin' trailer during retry handling. A...

Oracle Linux 10 : wireshark (ELSA-2026-9666)

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-9666 advisory. - Resolves: RHEL-152921 - CVE-2026-3203 Buffer Over-read - Resolves: RHEL-152912 - CVE-2026-3201 Improperly Controlled Sequential Memory Allocation -...

CVE-2026-31445

A flaw was found in the Linux kernel. When updating DAMON Data Access MONitor parameters, an internal memory allocation failure during the damoncommitctx function could leave the DAMON context in a partially corrupted state. If this corrupted context is subsequently used, it can lead to unexpecte...