PT-2026-41788 · Opentelemetry · @Opentelemetry/Instrumentation
Mralias
·
Published
2026-05-18
·
Updated
2026-06-25
·
CVE-2026-45683
CVSS v3.1
3.8
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description
The Java TLS ioctl probe incorrectly uses the
bpf probe read function instead of bpf probe read user when reading user-controlled ioctl pointers. This occurs within the do vfs ioctl kprobe hook, which treats the third ioctl argument as a structured buffer and reads fields such as the operation byte from arg, connection metadata from arg + 1, and payload length from arg + 1 + sizeof(connection info t). If the length is greater than zero, the pointer is passed to the handle buf with connection() function.Because the pointer originates in user space, the use of
bpf probe read allows an instrumented local process to provide a kernel pointer, enabling the exfiltration of kernel-resident memory into telemetry systems. This results in a local kernel memory disclosure primitive for deployments that enable Java TLS support.Recommendations
Update to version 0.9.0.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Opentelemetry/Instrumentation