PT-2026-51442 · Go · Github.Com/Inspektor-Gadget/Inspektor-Gadget

Published

2026-06-22

·

Updated

2026-06-22

·

CVE-2026-44778

CVSS v4.0

2.9

Low

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Summary

A malicious container can crash or destabilize the privileged Inspektor Gadget process when a gadget using USDT probes is deployed. The vulnerability is in the USDT note parser (pkg/uprobetracer/usdt.go) which is invoked when a gadget with a SEC("usdt/...") section attaches to a target binary. An unprivileged process can place a crafted ELF binary at the expected library path, triggering one of two attack vectors:
  1. Panic (immediate crash): A stapsdt note with a small DescSize causes an out-of-bounds slice access, panicking the IG process.
  2. Memory exhaustion (OOM kill): A stapsdt note with a very large NameSize or DescSize causes IG to allocate up to ~4 GiB of memory, which can killnthe process if deployed with memory restrictions (e.g., cgroup limits).
Important: The vulnerability is only triggered when running a gadget that uses USDT probes (i.e., contains a SEC("usdt/...") eBPF section). No gadget shipped by the Inspektor Gadget project uses USDT today. Users who deploy their own custom USDT gadgets are affected.

Severity

Low — Denial of Service (process crash or OOM) of a privileged host process, triggered by an unprivileged container. The vulnerable code path is only reached when a gadget using USDT probes is deployed. No such gadget is shipped by the Inspektor Gadget project; only users running custom USDT gadgets are affected.
  • Attack vector: An unprivileged process in a container places a crafted ELF file at a path that a USDT gadget targets (e.g., a library name resolved via the container's ld cache). When the gadget attaches, IG parses the malicious ELF and crashes.
  • Impact: The IG process panics and crashes (vector 1) or is OOM-killed (vector 2). This is a DoS against the monitoring infrastructure, not a code execution or privilege escalation vulnerability.
  • Affected component: pkg/uprobetracer/usdt.go, function getUsdtInfo()
  • Prerequisites: A gadget with a SEC("usdt/...") eBPF section must be running and configured to attach to a library inside the attacker's container. No shipped gadgets use USDT probes, so this only affects deployments with custom USDT gadgets.

Affected Versions

All versions of Inspektor Gadget that include USDT support in pkg/uprobetracer/usdt.go, starting from v0.28.0 (commit 7ee5e7a90 "pkg/uprobetracer: support USDT trace points").

Root Cause

Vector 1: Out-of-bounds slice access (panic)

In pkg/uprobetracer/usdt.go, the function getUsdtInfo() parses stapsdt notes from an ELF file's .note.stapsdt section. When a matching note is found (name == "stapsdt0" and type == 3), it reads three address fields from the note descriptor:
go
// usdt.go lines 137-139
elfLocation := elfReader.ByteOrder.Uint64(desc[:wordSize])
elfBase := elfReader.ByteOrder.Uint64(desc[wordSize : 2*wordSize])
elfSemaphore := elfReader.ByteOrder.Uint64(desc[2*wordSize : 3*wordSize])
For a 64-bit ELF, wordSize = 8, so this requires desc to be at least 24 bytes. However, desc is allocated based on the note's DescSize field from the ELF file:
go
desc := make([]byte, alignUp(uint64(header.DescSize), 4))
A crafted ELF with DescSize = 1 produces a 4-byte desc buffer. The expression desc[:8] then panics with:
panic: runtime error: slice bounds out of range [:8] with capacity 4

Vector 2: Unbounded memory allocation (OOM)

The NameSize and DescSize fields from the note header are used directly to allocate memory without any upper bound:
go
name := make([]byte, alignUp(uint64(header.NameSize), 4))
desc := make([]byte, alignUp(uint64(header.DescSize), 4))
A crafted ELF with NameSize = 0xFFFFFFFF would attempt to allocate ~4 GiB of memory. Under cgroup memory limits (common in Kubernetes deployments), this triggers an OOM kill of the IG process.

Vector 3: Missing panic recovery for debug/elf

Go's debug/elf package is not hardened against adversarial inputs and may panic on malformed ELF headers. The cilium/ebpf library addresses this with its SafeELFFile wrapper that uses recover(), but getUsdtInfo() calls elf.NewFile() directly without any panic recovery.

Fix

The fix (3 changes in pkg/uprobetracer/usdt.go):
  1. Bounds check on descriptor size: Validate len(desc) >= 3*wordSize before accessing the address fields. Reject malformed notes with an error instead of panicking.
  2. Cap allocation sizes: Limit NameSize and DescSize to a reasonable maximum (1 MiB) before allocating memory, preventing DoS via memory exhaustion. There is no standard upper bound for ELF note fields; 1 MiB is a generous arbitrary cap — legitimate USDT notes are typically under 1 KB.
  3. Panic recovery: Wrap getUsdtInfo() with defer/recover to catch any panics from debug/elf on malformed input, converting them to errors.

Related

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2026-44778
GHSA-7CFQ-5MHV-JRP9

Affected Products

Github.Com/Inspektor-Gadget/Inspektor-Gadget