PT-2026-41787 · Opentelemetry · @Opentelemetry/Instrumentation

Mralias

·

Published

2026-05-18

·

Updated

2026-07-09

·

CVE-2026-45682

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description A memory leak exists in the custom CappedConcurrentHashMap used for Java TLS state tracking. The remove() function deletes entries from the map but fails to remove the corresponding keys from the insertion-order queue. In long-running instrumented JVMs with frequent connection churn, this queue grows without bound, potentially leading to long garbage collection pauses or heap memory exhaustion resulting in an OutOfMemoryError.
Recommendations Update to version 0.9.0.

Exploit

Fix

Memory Leak

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45682
GHSA-962Q-HWM5-52X5
GO-2026-5275
OPENSUSE-SU-2026:11053-1
OPENSUSE-SU-2026:21251-1
SUSE-SU-2026:2824-1

Affected Products

@Opentelemetry/Instrumentation