CVE-2026-45682: OpenTelemetry eBPF Instrumentation Memory Leak in Java TLS State Tracking
OpenTelemetry's eBPF Instrumentation agent for Java contains a memory leak in its TLS connection state tracking. When Java applications handle repeated connection churn (connections opening and closing), the instrumentation fails to properly clean up its internal tracking queue, causing heap memory to grow indefinitely until the application runs out of memory and crashes. This affects long-running production JVMs where connection pools are regularly recycled. The issue is resolved in version 0.9.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.1 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-401, CWE-770
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the custom CappedConcurrentHashMap used by OpenTelemetry eBPF Instrumentation to track Java TLS connection state. While the map itself enforces a size cap, its underlying insertion-order queue does not evict entries when keys are deleted from the map. Over time in high-churn environments, queue entries accumulate without bound, consuming heap memory at an accelerating rate. This is rooted in incomplete cleanup logic (CWE-401: Missing Release of Memory After Effective Lifetime; CWE-770: Allocation of Resources Without Limits or Throttling).
Business impact
In production environments, this vulnerability manifests as eventual heap exhaustion and application crashes. For services deployed with OpenTelemetry eBPF Instrumentation monitoring high-traffic Java workloads—particularly those with connection pooling and frequent reconnects—the issue is triggered after hours or days of operation. This translates to unplanned downtime, failed SLOs, and loss of observability data collection during incidents. Organizations running instrumented services without awareness of this flaw risk production outages.
Affected systems
OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 are affected. The issue impacts any long-running Java Virtual Machine instrumented with this agent that handles repeated TLS connection lifecycle events (connection open, close, reopen). Environments with high connection churn—such as microservices communicating over TLS, load-balanced backends, or applications with aggressive connection pooling—face the greatest risk.
Exploitability
This is not an exploitable vulnerability in the traditional sense; there is no remote attack vector or privilege escalation path. Instead, it is a resource exhaustion vulnerability triggered by normal application behavior. An attacker cannot directly trigger the leak, but any environment with high connection turnover will eventually exhaust memory. The CVSS score of 5.1 (Medium) reflects local impact (heap DoS) without requiring special privileges or user interaction, but with elevated complexity due to environmental preconditions (connection churn volume and duration).
Remediation
Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later. Organizations unable to upgrade immediately should monitor heap memory usage in instrumented JVMs and establish automated restarts or alerts triggered by heap pressure thresholds. Consider temporarily disabling eBPF instrumentation on critical services until patching can be completed, or deploy instrumentation only in non-production or low-churn environments.
Patch guidance
Consult the OpenTelemetry project release notes and vendor advisory for version 0.9.0 to verify availability and any prerequisite compatibility requirements. Test the patched version in a staging environment that replicates your connection churn patterns before rolling to production. Verify heap memory stabilization post-deployment by observing memory metrics over at least one full application cycle (including peak traffic windows).
Detection guidance
Monitor heap memory trend lines in instrumented JVMs. A monotonically increasing heap usage pattern (after accounting for garbage collection cycles) despite stable application load is a strong signal. Enable heap dumps on OutOfMemoryError and inspect the CappedConcurrentHashMap instance to identify queue bloat. Java profilers and heap analysis tools can confirm whether TLS tracking structures are retaining entries. Review OpenTelemetry instrumentation logs for warnings about connection state tracking anomalies.
Why prioritize this
Although the CVSS score is Medium, this vulnerability warrants prompt attention because (1) it affects availability in production long-running services, (2) it is triggered by normal operational patterns (connection recycling), not edge cases, and (3) the fix is straightforward (version upgrade). Organizations with high-throughput Java services should prioritize patching over lower-impact vulnerabilities. However, this does not require emergency response unless instrumented services are already experiencing unexplained heap exhaustion.
Risk score, explained
The CVSS 3.1 score of 5.1 reflects a local scope denial-of-service impact (heap exhaustion) requiring elevated environmental complexity (sustained high connection churn) but no special privileges or user interaction. The attack vector is Local because the instrumentation runs within the JVM process itself. High availability impact is offset by the requirement for specific operational conditions, justifying a Medium severity rating.
Frequently asked questions
Does this vulnerability allow remote code execution or data theft?
No. This is strictly a resource exhaustion (denial-of-service) vulnerability. An attacker cannot remotely trigger the memory leak or access sensitive data. The leak occurs naturally during normal high-churn connection operations in instrumented JVMs.
How long does it take for the memory leak to exhaust the heap?
The timeline depends on connection churn rate, heap size, and TLS state complexity. High-traffic services may experience exhaustion within hours to days; low-traffic services might not exhibit the issue for weeks or longer. Production monitoring is essential to detect the problem early.
Can I work around this without upgrading immediately?
Temporary mitigations include disabling eBPF instrumentation, deploying only in non-production environments, or implementing automated JVM restarts when heap pressure crosses thresholds. However, these are not substitutes for patching; upgrade to version 0.9.0 as soon as feasible.
Does this affect all OpenTelemetry distributions or only eBPF Instrumentation?
This vulnerability is specific to OpenTelemetry eBPF Instrumentation and does not affect the core OpenTelemetry SDK or other instrumentation methods. If you are using Java auto-instrumentation via other means (e.g., standalone OpenTelemetry Java agent), verify your specific version against the vendor advisory.
This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and severity ratings are vendor-provided and may not reflect your organization's specific risk context. Always verify patch availability and compatibility against the official OpenTelemetry project advisory before deployment. Testing in a non-production environment is strongly recommended. This document does not constitute legal, compliance, or formal risk assessment advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-44545MEDIUMDaphne WebSocket Denial of Service via Unlimited Payload Size
- CVE-2026-45023MEDIUMAutoGPT Credit Bypass in Block Execution API
- CVE-2026-45078MEDIUMSynapse Denial-of-Service via CPU Exhaustion (v1.152.1+)
- CVE-2026-45292MEDIUMOpenTelemetry Java Baggage DoS Vulnerability – Patch & Detection Guide