CVE-2026-45680 Overview
CVE-2026-45680 affects OpenTelemetry eBPF Instrumentation (OBI), a component that provides eBPF-based instrumentation aligned with the OpenTelemetry standard. The vulnerability exists in versions prior to 0.9.0. OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can grow very large, forcing the metrics exporter to consume excessive CPU in a tight loop every collection interval. The flaw is categorized under [CWE-400] Uncontrolled Resource Consumption. Maintainers patched the issue in version 0.9.0.
Critical Impact
Remote, unauthenticated attackers can trigger sustained CPU exhaustion on hosts running vulnerable OBI versions, degrading observability pipelines and co-located workloads.
Affected Products
- OpenTelemetry eBPF Instrumentation (Go) versions prior to 0.9.0
- Deployments using OBI as a metrics exporter on Linux hosts
- Observability stacks ingesting BPF probe histogram data from OBI
Discovery Timeline
- 2026-06-02 - CVE-2026-45680 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45680
Vulnerability Analysis
The vulnerability is a denial-of-service condition rooted in unbounded loop iteration during metrics export. OBI translates eBPF probe hits into OpenTelemetry histogram observations. For each probe event, the exporter iterates once per recorded run count to replay observations into the histogram structure.
On high-throughput systems, the delta between successive run-count samples can reach very large values. The exporter then enters a tight loop sized by that delta on every collection interval. CPU time spent in this loop grows linearly with probe activity, starving other processes and the metrics pipeline itself.
The issue does not require authentication or user interaction. Any workload generating sustained probe activity, including attacker-driven network traffic that exercises instrumented code paths, can amplify the run-count delta and trigger the condition.
Root Cause
The root cause is an algorithmic design choice in the histogram replay path. OBI treats the run-count value as a literal iteration count rather than aggregating it as a weight. There is no upper bound on iterations per collection cycle. As probe hits accumulate between scrapes, the exporter performs O(n) work where n scales with observed traffic volume.
Attack Vector
The attack vector is network-based and requires no privileges. An attacker generates traffic that exercises instrumented endpoints at high rates. Each request increments the probe run count. By the next collection interval, the exporter must replay the accumulated count, consuming CPU proportional to the request volume. The vulnerability affects availability of the host and the metrics pipeline. Confidentiality and integrity are not impacted.
No verified proof-of-concept code is publicly available. See the GitHub Security Advisory GHSA-89c6-vpcj-7vj4 for technical details.
Detection Methods for CVE-2026-45680
Indicators of Compromise
- Sustained high CPU utilization by the OBI metrics exporter process at every collection interval
- Increased latency or timeouts in OpenTelemetry metrics scrape responses
- Spikes in histogram observation counts disproportionate to actual application traffic
Detection Strategies
- Inventory hosts running opentelemetry-ebpf-instrumentation and verify the installed version against 0.9.0
- Correlate exporter CPU spikes with request-rate increases on instrumented endpoints
- Alert on collection-interval scrape durations exceeding baseline by a configurable threshold
Monitoring Recommendations
- Track CPU consumption of the OBI exporter process per collection cycle
- Monitor histogram bucket increment volumes for anomalous growth
- Log and review network traffic patterns that align with exporter CPU saturation events
How to Mitigate CVE-2026-45680
Immediate Actions Required
- Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later
- Identify all deployments using affected OBI versions across production and staging clusters
- Rate-limit or filter external traffic to instrumented endpoints until patching completes
Patch Information
The maintainers released the fix in OBI 0.9.0. Refer to the GitHub Release v0.9.0 for release notes and to the GitHub Security Advisory GHSA-89c6-vpcj-7vj4 for advisory details.
Workarounds
- Reduce the metrics collection interval frequency to limit per-cycle iteration budgets where upgrade is not immediate
- Disable OBI instrumentation on hosts exposed to untrusted high-volume traffic until patched
- Apply upstream rate limiting at ingress to cap probe activity reaching instrumented services
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
