PT-2026-41788 · Opentelemetry · @Opentelemetry/Instrumentation

Mralias

·

Published

2026-05-18

·

Updated

2026-06-25

·

CVE-2026-45683

CVSS v3.1

3.8

Low

VectorAV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description The Java TLS ioctl probe incorrectly uses the bpf probe read function instead of bpf probe read user when reading user-controlled ioctl pointers. This occurs within the do vfs ioctl kprobe hook, which treats the third ioctl argument as a structured buffer and reads fields such as the operation byte from arg, connection metadata from arg + 1, and payload length from arg + 1 + sizeof(connection info t). If the length is greater than zero, the pointer is passed to the handle buf with connection() function.
Because the pointer originates in user space, the use of bpf probe read allows an instrumented local process to provide a kernel pointer, enabling the exfiltration of kernel-resident memory into telemetry systems. This results in a local kernel memory disclosure primitive for deployments that enable Java TLS support.
Recommendations Update to version 0.9.0.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45683
GHSA-FJQ3-FFVR-VM46
GO-2026-5366

Affected Products

@Opentelemetry/Instrumentation