LOW 3.8

CVE-2026-45683: OpenTelemetry eBPF Instrumentation Kernel Memory Disclosure

OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 contain a memory disclosure vulnerability in the Java TLS monitoring probe. The vulnerability stems from incorrect kernel memory access calls that allow a local attacker to read sensitive kernel memory and exfiltrate it through the instrumentation telemetry pipeline. This is a localized information disclosure risk that requires local process-level access to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.8 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Weaknesses (CWE)
CWE-127, CWE-200
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Java TLS ioctl probe reads user-controlled ioctl pointers with bpf_probe_read instead of bpf_probe_read_user. An instrumented local process can therefore point OBI at kernel memory and cause that memory to be copied into telemetry. This issue has been patched in version 0.9.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The Java TLS ioctl probe in OpenTelemetry eBPF Instrumentation prior to version 0.9.0 uses bpf_probe_read() to access user-supplied ioctl pointer arguments. This function does not validate memory boundaries and can inadvertently read from kernel-space memory regions. An attacker controlling an instrumented local process can craft malicious ioctl pointers to force the probe to copy arbitrary kernel memory into telemetry events, bypassing normal memory access restrictions. The issue is resolved in version 0.9.0 by switching to bpf_probe_read_user(), which enforces user-space memory boundaries.

Business impact

This vulnerability creates a potential information disclosure pathway in environments where OpenTelemetry eBPF Instrumentation monitors Java applications. An attacker with local access to a system running vulnerable instrumentation could extract kernel memory contents, potentially revealing cryptographic keys, authentication tokens, or other sensitive runtime state. The impact is limited by the LOCAL attack vector and LOW privilege requirement, making this a concern primarily for multi-tenant or shared container environments where process isolation is a security boundary.

Affected systems

OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 are affected. This includes any deployment using this package for Java TLS telemetry collection. The vulnerability does not affect versions 0.9.0 or later. Organizations should verify their eBPF instrumentation version in package manifests or dependency lockfiles.

Exploitability

Exploitation requires local system access and the ability to influence ioctl parameters of a monitored process. The attack vector is LOCAL and requires LOW privilege, meaning any non-root process on the system could potentially trigger the vulnerability. However, practical exploitation depends on the application's ioctl calling patterns and whether sensitive kernel data is predictably addressable. No public exploit code is known to exist. The CVSS score of 3.8 (LOW severity) reflects the restricted attack surface and the information-disclosure-only impact.

Remediation

Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later. This version replaces the vulnerable bpf_probe_read() calls with bpf_probe_read_user(), which restricts memory access to user-space regions only. No workarounds are available for earlier versions; patching is the only mitigation. Organizations should prioritize this update in environments where eBPF instrumentation runs with elevated privileges or monitors security-sensitive applications.

Patch guidance

Verify the current version of opentelemetry_ebpf_instrumentation in your environment by checking package managers, build artifacts, or runtime library metadata. Update to version 0.9.0 or later through your standard package management process. After patching, verify the Java TLS probe is functioning correctly by confirming telemetry is still being collected for Java TLS events. Test in a non-production environment first to ensure compatibility with your monitoring pipeline.

Detection guidance

Review deployment logs and package inventories for OpenTelemetry eBPF Instrumentation versions prior to 0.9.0. In environments where this component is deployed, monitor for unusual kernel memory access patterns in eBPF probe logs if available. Since this is a memory access API misuse rather than a network-facing vulnerability, detection often requires access to eBPF runtime traces or instrumentation logs. Conduct an inventory of Java applications and monitoring infrastructure to identify which systems are actively using this component.

Why prioritize this

Although the CVSS score is LOW, this vulnerability merits attention in security-conscious environments because it directly undermines confidentiality guarantees of kernel memory isolation. Organizations running eBPF instrumentation on shared systems, in containerized environments, or with untrusted workloads should prioritize patching to prevent local information disclosure. The fix is straightforward and low-risk, making this an efficient remediation task.

Risk score, explained

CVSS v3.1 score of 3.8 reflects: (1) LOCAL attack vector—requires direct system access, not remotely exploitable; (2) LOW privilege requirement—any local process can attempt the attack; (3) information disclosure only—no code execution, service disruption, or integrity impact; (4) scope CHANGED—the probe reads kernel memory outside the original scope of the monitored Java TLS process; (5) low confidentiality impact due to difficulty in reliably predicting kernel addresses and extracting meaningful data. The score appropriately ranks this as low severity but not negligible for regulated or high-security environments.

Frequently asked questions

Does this affect OpenTelemetry Collector or other OpenTelemetry components?

No. This vulnerability is specific to OpenTelemetry eBPF Instrumentation, a specialized package for eBPF-based instrumentation. Standard OpenTelemetry Collector deployments, API libraries, and SDKs are not affected. Verify you are using the ebpf_instrumentation package if concerned.

Can this vulnerability be exploited remotely?

No. The attack vector is strictly LOCAL, requiring an attacker to run code or influence process parameters on the same system where instrumentation is deployed. Network-based attacks are not possible.

What types of kernel memory could be disclosed?

Theoretically, any kernel memory readable by the eBPF program's privilege level. In practice, an attacker would need to guess or observe valid kernel addresses. Potential targets include kernel structures, page cache contents, or memory shared between processes. However, reliable exploitation would require detailed knowledge of kernel memory layout.

Are there any recommended mitigations short of upgrading?

Mitigations are limited. Organizations can restrict local access controls, run eBPF instrumentation with the minimal necessary privileges, isolate untrusted workloads from instrumented systems, and monitor for unusual memory access patterns in telemetry. However, upgrading to version 0.9.0 or later is the only complete fix.

This analysis is provided for informational purposes and based on available vulnerability data as of the publication date. Readers should verify patch availability and compatibility in their specific environments before deploying updates. OpenTelemetry and related projects may issue additional advisories or updates. Consult official vendor advisories and security documentation for the most current information. This page does not constitute legal advice or a comprehensive security assessment; organizations should conduct their own risk analysis aligned with their security posture and compliance requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).