PT-2026-41789 · Unknown · @Opentelemetry/Instrumentation

·

CVE-2026-45684

·

Published

2026-05-18

·

Updated

2026-06-25

CVSS v3.1

5.3

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x
Description The log enricher mishandles writev buffers by reading only the first iovec entry while using the total iov iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can cause the software to read and overwrite memory beyond the first segment. This occurs because the fill iov() function resolves only one struct iovec, but the write() function uses the total byte count across all segments. This memory safety flaw can lead to the corruption of adjacent application buffers, memory leakage into log events, or process instability.
Recommendations Update to version 0.9.0. As a temporary workaround, disable the log injection feature to minimize the risk of exploitation.

Exploit

Fix

Memory Corruption

Buffer Over-read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45684
GHSA-VVMG-8MJR-G6Q3
GO-2026-5677

Affected Products

@Opentelemetry/Instrumentation