CVE-2026-45287: OpenTelemetry-Go File Descriptor Leak & Denial of Service
OpenTelemetry-Go versions prior to 0.0.17 contain a resource leak that causes file descriptor exhaustion. When an application repeatedly parses OpenTelemetry schema files using the `ParseFile` function, each call opens a file but fails to close it. In a long-running service, an attacker who can trigger repeated schema parsing—such as by supplying attacker-controlled file paths—can exhaust the process's file descriptor limit, forcing a denial of service. The vulnerability requires the consuming application to expose schema parsing to external input; it is not a direct remote attack vector.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-772, CWE-775
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-18
NVD description (verbatim)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` packages. The `ParseFile` function opens a file descriptor for the schema file but does not close it before passing the file handle to the `Parse` function. In stateless or batch-oriented applications this may be benign, but in long-running services that perform repeated parsing (especially when file paths are derived from user or external input), the cumulative leak exhausts the process file descriptor ulimit. Once the limit is reached, all subsequent file operations—logging, network I/O, database connections—fail, resulting in denial of service. The fix in version 0.0.17 ensures proper file closure after parsing.
Business impact
Services relying on OpenTelemetry-Go for telemetry schema validation are at risk if they parse schemas in response to external requests or in high-frequency loops. Affected deployments may experience unexpected service outages when file descriptors are exhausted, with symptoms appearing as 'too many open files' errors in application logs. This is particularly concerning for containerized environments where file descriptor limits are often tightly constrained. Recovery requires process restart, and the DoS condition can be triggered repeatedly if the underlying application logic remains unchanged.
Affected systems
Any application using OpenTelemetry-Go versions prior to 0.0.17 that calls `ParseFile` on `otel/schema/v1.0` or `otel/schema/v1.1` packages is potentially affected. Risk is highest in services that invoke `ParseFile` repeatedly—for example, those that parse schemas on per-request basis, in initialization loops, or when processing dynamic configuration. Applications that parse schemas only once during startup and cache the results face minimal risk.
Exploitability
Direct remote exploitation is not possible; an attacker cannot remotely trigger schema parsing unless the target application explicitly exposes that functionality. Exploitability depends entirely on application design. Services that accept file paths as input parameters, hot-reload schemas based on external configuration, or parse schemas in response to API requests create an exploitable condition. An authenticated user or external actor with the ability to influence schema file paths or trigger parsing logic can cause denial of service. The attack is low-complexity once the vulnerable code path is identified.
Remediation
Upgrade to OpenTelemetry-Go version 0.0.17 or later. Applications unable to upgrade immediately should audit their schema parsing logic: if `ParseFile` is called only at startup or infrequently, risk is reduced. Consider implementing rate-limiting or input validation around any user-supplied file paths passed to `ParseFile`. For high-risk environments, monitor file descriptor usage and set alerts for approaching the process limit.
Patch guidance
Apply OpenTelemetry-Go version 0.0.17 or later. Verify the update by checking the go.mod file and running `go list -m all` to confirm the installed version. Recompile and redeploy affected services. If you maintain internal mirrors or vendored dependencies, prioritize this update in your release cycle. Test in non-production environments first to confirm no side effects; the fix is a resource management improvement with no breaking API changes.
Detection guidance
Monitor application logs for 'too many open files' or 'EMFILE' errors, particularly if they correlate with increased request volume or configuration reloads. Use system-level tools like `lsof` or `/proc/[pid]/fd` to inspect file descriptor usage in running OpenTelemetry-Go-based processes. If file descriptor count climbs steadily during normal operation without corresponding file closures, investigate whether `ParseFile` is being called repeatedly. Correlate timing of file descriptor exhaustion with access logs to identify patterns of triggering requests.
Why prioritize this
This is a medium-severity resource exhaustion vulnerability suitable for standard patching cycles. It requires application-specific exposure to attacker-controlled schema parsing, preventing it from being automatically exploitable in most deployments. However, it should not be deprioritized: any service that dynamically loads or reloads schemas faces real DoS risk, and the fix is simple and low-risk. Organizations should triage based on whether their OpenTelemetry-Go usage pattern includes repeated `ParseFile` calls.
Risk score, explained
CVSS 5.5 (Medium) reflects local or authenticated attack surface (AV:L, PR:L), no confidentiality or integrity impact (C:N, I:N), and high availability impact (A:H). The score appropriately captures the resource exhaustion nature: the vulnerability is not easily exploitable from the network, but causes complete service denial once triggered. The low access vector and privilege requirement mean most organizations are not at immediate risk unless they have specifically exposed schema parsing logic to external or low-privileged users.
Frequently asked questions
Do we need to patch if we only parse schemas at application startup?
No, patching is not urgent. If your application calls `ParseFile` only once during initialization and caches the result, the file descriptor leak has minimal impact. However, we still recommend upgrading as part of your regular maintenance cycle to eliminate the risk if usage patterns change.
How do I know if my application is vulnerable?
Search your codebase for calls to `ParseFile` in `go.opentelemetry.io/otel/schema` packages. If the call occurs inside request handlers, configuration reload functions, or any loop, risk is elevated. If it occurs only in init() or main(), risk is low.
What happens when file descriptors are exhausted?
The operating system refuses new file operations, including file opens, network socket creation, and pipe operations. Your application will fail to log, connect to databases, or communicate over the network. Symptoms appear as cryptic 'too many open files' errors, and the only immediate recovery is restarting the process.
Does this vulnerability allow remote code execution?
No. The vulnerability is resource exhaustion (denial of service) only. It does not allow an attacker to execute code or read data. Remediation requires the application to expose schema parsing to external input; isolated services not exposing this functionality are not at risk.
This analysis is provided for informational purposes and reflects the publicly available CVE record and vendor advisories as of June 2026. Actual risk and exploitability depend on your specific application architecture and use of OpenTelemetry-Go schema parsing. Always verify patch availability and compatibility with your environment before deploying updates. SEC.co does not provide guarantees regarding the completeness or currency of vulnerability information; consult official vendor security advisories for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41178MEDIUMOpenTelemetry-Go Baggage Parsing DoS Vulnerability
- CVE-2026-45676MEDIUMOpenTelemetry eBPF Instrumentation ELF Parser Denial of Service
- CVE-2026-45679MEDIUMOpenTelemetry eBPF Instrumentation Data Exfiltration via Redis Error Messages
- CVE-2026-45680MEDIUMOpenTelemetry eBPF Instrumentation CPU Exhaustion DoS
- CVE-2026-45681MEDIUMOpenTelemetry eBPF Instrumentation Memory Leak (MEDIUM)
- CVE-2026-45682MEDIUMOpenTelemetry eBPF Instrumentation Memory Leak in Java TLS State Tracking
- CVE-2026-45684MEDIUMOpenTelemetry eBPF Instrumentation Buffer Over-Read Vulnerability
- CVE-2026-45678HIGHOpenTelemetry eBPF Instrumentation Postgres Parser Denial-of-Service