PT-2026-41785 · Opentelemetry · @Opentelemetry/Instrumentation

Mralias

·

Published

2026-05-18

·

Updated

2026-06-25

·

CVE-2026-45680

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description OpenTelemetry eBPF Instrumentation (OBI) replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop during every collection interval. This occurs because the calculateStats() function calculates deltaCount as the difference between bp.runCount and bp.prevRunCount without applying a cap. The exporter then iterates through probeMetrics and executes a loop based on metric.count, invoking the BpfProbeLatency() function for each individual recorded hit. Consequently, CPU consumption becomes proportional to the number of probe hits rather than the number of metric series, which can lead to an availability issue in the internal metrics path when tracing high-volume workloads.
Recommendations Update to version 0.9.0.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45680
GHSA-89C6-VPCJ-7VJ4
GO-2026-5248

Affected Products

@Opentelemetry/Instrumentation