PT-2026-41785 · Opentelemetry · @Opentelemetry/Instrumentation
Mralias
·
Published
2026-05-18
·
Updated
2026-06-25
·
CVE-2026-45680
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description
OpenTelemetry eBPF Instrumentation (OBI) replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop during every collection interval. This occurs because the
calculateStats() function calculates deltaCount as the difference between bp.runCount and bp.prevRunCount without applying a cap. The exporter then iterates through probeMetrics and executes a loop based on metric.count, invoking the BpfProbeLatency() function for each individual recorded hit. Consequently, CPU consumption becomes proportional to the number of probe hits rather than the number of metric series, which can lead to an availability issue in the internal metrics path when tracing high-volume workloads.Recommendations
Update to version 0.9.0.
Exploit
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Opentelemetry/Instrumentation