diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b5f2cb4c64..88650c385e4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - Custom attributes targeting metrics recorded by the `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` are not ignored anymore. (#5129)
 - Use `c.FullPath()` method to set `http.route` attribute in `go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin`. (#5734)
 - The double setup in `go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace/example` that caused duplicate traces. (#5564)
+- Out-of-bounds panic in case of invalid span ID in `go.opentelemetry.io/contrib/propagators/b3`. (#5754)
 
 ### Deprecated
 
diff --git a/propagators/b3/b3_propagator.go b/propagators/b3/b3_propagator.go
index 3d665ca9975..45d0811a26e 100644
--- a/propagators/b3/b3_propagator.go
+++ b/propagators/b3/b3_propagator.go
@@ -277,6 +277,9 @@ func extractSingle(ctx context.Context, contextHeader string) (context.Context,
 		}
 		pos += separatorWidth // {traceID}-
 
+		if headerLen < pos+spanIDWidth {
+			return ctx, empty, errInvalidSpanIDValue
+		}
 		scc.SpanID, err = trace.SpanIDFromHex(contextHeader[pos : pos+spanIDWidth])
 		if err != nil {
 			return ctx, empty, errInvalidSpanIDValue
diff --git a/propagators/b3/b3_propagator_test.go b/propagators/b3/b3_propagator_test.go
index bac1893f4e5..f111d38247b 100644
--- a/propagators/b3/b3_propagator_test.go
+++ b/propagators/b3/b3_propagator_test.go
@@ -216,6 +216,18 @@ func TestExtractSingle(t *testing.T) {
 		{"3", trace.SpanContextConfig{}, errInvalidSampledByte, false, false},
 		{"000000000000007b", trace.SpanContextConfig{}, errInvalidScope, false, false},
 		{"000000000000007b00000000000001c8", trace.SpanContextConfig{}, errInvalidScope, false, false},
+		// TraceID with illegal length
+		{
+			"000001c8-000000000000007b",
+			trace.SpanContextConfig{},
+			errInvalidTraceIDValue, false, false,
+		},
+		// SpanID with illegal length
+		{
+			"000000000000007b00000000000001c8-0000007b",
+			trace.SpanContextConfig{},
+			errInvalidSpanIDValue, false, false,
+		},
 		// Support short trace IDs.
 		{
 			"00000000000001c8-000000000000007b",