MEDIUM 4.9

CVE-2026-45684: OpenTelemetry eBPF Instrumentation Buffer Over-Read Vulnerability

OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x contain a buffer handling flaw in the log enricher component. When log injection is enabled, attackers can craft a multi-segment write operation that tricks the instrumentation into reading beyond the intended buffer boundary, potentially overwriting memory. This could lead to information disclosure, data corruption, or application instability on systems using the affected versions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.9 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-126, CWE-787
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. This issue has been patched in version 0.9.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from a mismatch in writev buffer processing within OBI's log enricher. The code reads only the first iovec entry from a multi-segment I/O vector but uses the total byte count (iov_iter.count) as the copy length parameter. An adversary can exploit this by issuing a crafted writev call with multiple segments; the instrumentation will read from the first segment's memory location but continue reading for the full declared length, crossing segment boundaries and accessing unintended memory. The flaw is rooted in CWE-126 (buffer over-read) and CWE-787 (out-of-bounds write).

Business impact

Organizations relying on OpenTelemetry eBPF Instrumentation for observability and log injection face potential data leakage from process memory and risk of application crashes or unexpected behavior. If an unprivileged process on the system can trigger log enrichment with crafted I/O patterns, a local attacker could extract sensitive information or destabilize monitored applications. The impact is localized to the host running the instrumentation but could propagate through log streams if exfiltrated data is captured.

Affected systems

OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x are vulnerable. Version 0.9.0 and later include a fix. Deployments actively using log injection features are at greatest risk. The vulnerability requires local or process-level access to craft malicious writev calls, limiting the attack surface to users or code running on the same host.

Exploitability

Exploitation requires local system access and the ability to trigger writev calls that reach the instrumentation layer—typically through application code or a local user process. The CVSS vector (AV:L/AC:H) reflects this: attack is local-only and conditions must be right (log injection enabled, specific multi-segment I/O pattern). While not trivial, a motivated attacker with limited privileges can craft the necessary conditions. No known public exploits exist at this time, and the vulnerability does not appear on CISA's Known Exploited Vulnerabilities list.

Remediation

Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later. If immediate patching is not feasible, disable log injection features in the instrumentation configuration to eliminate the attack surface. Review your deployment inventory to identify all hosts running affected versions.

Patch guidance

Update to OpenTelemetry eBPF Instrumentation version 0.9.0 or later. Consult the official OpenTelemetry release notes and your package manager (pip, npm, container registry, etc.) for the patched build appropriate to your environment. Verify the update by checking the installed version and restarting instrumented applications to ensure the new code is loaded.

Detection guidance

Monitor for writev system calls with unusual iovec structures (multiple segments with unexpected total byte counts) originating from processes running OpenTelemetry instrumentation. Log any crashes or memory access violations in instrumented applications. Review application logs for signs of data corruption or unexpected output that might indicate out-of-bounds reads. Host-based intrusion detection or kernel audit logs may reveal suspicious I/O patterns, though the low severity and local-only nature means detection is often reactive.

Why prioritize this

This vulnerability merits prompt but not emergency patching. The CVSS score of 4.9 (MEDIUM) reflects limited scope (local-only), high attack complexity, and modest impact (partial confidentiality, integrity, and availability). It does not appear on CISA's KEV list. Prioritize systems where untrusted local users can run code and log injection is enabled; general-purpose servers and container environments with multi-tenant workloads should be addressed within standard patching windows. Development and test environments are lower priority unless they mirror production instrumentation closely.

Risk score, explained

The CVSS 3.1 score of 4.9 is driven by the local-only attack vector (AV:L), high attack complexity (AC:H)—requiring specific I/O patterns and enabled log injection—and limited impact scope. The flaw affects only confidentiality, integrity, and availability on the local system; it does not grant remote code execution or cross-system compromise. The score appropriately reflects a real but bounded risk suitable for standard maintenance windows rather than emergency incident response.

Frequently asked questions

Does this vulnerability require network connectivity or can it only be exploited locally?

Exploitation is strictly local. The attacker must run code or trigger system calls on the same host running OpenTelemetry eBPF Instrumentation. There is no remote attack vector.

If log injection is disabled, am I safe?

Yes. The vulnerability exists only when log injection is enabled in the instrumentation configuration. Disabling this feature eliminates the attack surface while you plan your upgrade.

What versions are affected?

Versions 0.7.0 through 0.8.x are vulnerable. Version 0.9.0 and later have been patched. Verify your installed version and consult the OpenTelemetry release notes to confirm your version number.

Can this vulnerability leak sensitive data from other processes?

No. The out-of-bounds read is confined to the memory space of the process running the instrumentation. Sensitive data from other processes is not directly accessible unless it is shared in memory regions the instrumented process can reach.

This analysis is provided for informational purposes to help security teams assess and prioritize vulnerability remediation. All information is derived from publicly available sources and CVE records current as of the publication date. Users should independently verify patch availability, compatibility, and applicability to their specific deployments against official vendor advisories. SEC.co makes no warranty regarding the completeness or accuracy of this assessment and disclaims liability for any reliance on this content in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).