CVE-2026-45681 Overview
CVE-2026-45681 is an out-of-bounds read vulnerability [CWE-125] in OpenTelemetry eBPF Instrumentation (OBI). The flaw exists in the per-CPU message-buffer fallback path, which uses a 256-byte backup buffer while preserving the original payload size of up to 8KB. When a CPU mismatch occurs, OBI reads beyond the fallback buffer and leaks adjacent kernel memory into telemetry output. The issue affects all versions prior to 0.9.0 and is exploitable over the network without authentication or user interaction. Maintainers patched the issue in version 0.9.0. The vulnerability impacts confidentiality only, with no effect on integrity or availability.
Critical Impact
Adjacent memory contents can leak into telemetry data streams, potentially exposing sensitive kernel or application data to downstream collectors.
Affected Products
- OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0
- Go-based deployments of opentelemetry:ebpf_instrumentation
- Environments forwarding OBI telemetry to external collectors
Discovery Timeline
- 2026-06-02 - CVE-2026-45681 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45681
Vulnerability Analysis
The vulnerability resides in OBI's per-CPU message-buffer fallback logic. OBI uses eBPF per-CPU maps to capture telemetry events from the kernel. When the per-CPU buffer is unavailable, the code falls back to a 256-byte backup buffer. However, the payload length metadata associated with the original event, which can reach 8KB, is preserved unchanged.
Downstream consumers read the declared payload size from the smaller fallback region. The read extends past the 256-byte boundary into adjacent memory. This leaked memory is then serialized into telemetry records and forwarded to OpenTelemetry collectors. Because OBI runs with kernel privileges via eBPF, adjacent memory may contain sensitive kernel structures, application secrets, or other process data.
Root Cause
The root cause is a missing length validation between the declared payload size and the actual fallback buffer capacity. The fallback path failed to truncate or recompute the payload length to match the 256-byte backup buffer. This length-versus-buffer mismatch produces the out-of-bounds read [CWE-125] when a CPU mismatch triggers the fallback path.
Attack Vector
Exploitation requires triggering the CPU mismatch condition that activates the fallback buffer path. The CVSS vector indicates high attack complexity, reflecting the timing and environmental conditions required. An attacker observing telemetry output, either as a privileged collector consumer or through telemetry pipeline access, can harvest leaked memory contents. No authentication or user interaction is required on the instrumented host. The vulnerability does not enable code execution or data modification; impact is limited to information disclosure through telemetry channels.
No public proof-of-concept exploit code is available. Refer to the GitHub Security Advisory GHSA-r6c9-g6q5-qrf9 for technical details.
Detection Methods for CVE-2026-45681
Indicators of Compromise
- Telemetry payloads containing non-printable bytes, unexpected binary patterns, or fragments of unrelated process memory
- OBI event records where serialized payload length exceeds the fallback buffer size of 256 bytes
- Anomalous string fragments in span attributes that resemble kernel pointers, credentials, or environment variables
Detection Strategies
- Inventory deployed OBI versions across hosts and flag any instance running a release prior to 0.9.0
- Inspect OpenTelemetry collector ingestion logs for malformed or oversized OBI spans
- Apply content inspection rules to telemetry pipelines to flag high-entropy or sensitive-pattern data in OBI-generated spans
Monitoring Recommendations
- Forward OBI process metadata and version strings into a centralized log store for continuous version tracking
- Alert on deployments of opentelemetry:ebpf_instrumentation packages below version 0.9.0
- Monitor telemetry collector endpoints for unusual payload size distributions originating from OBI agents
How to Mitigate CVE-2026-45681
Immediate Actions Required
- Upgrade all OBI deployments to version 0.9.0 or later as published in the GitHub Release v0.9.0
- Audit telemetry data already collected from vulnerable OBI versions for sensitive content that may have leaked
- Restrict access to OpenTelemetry collectors and downstream telemetry stores to authorized consumers only
Patch Information
The maintainers fixed the issue in OpenTelemetry eBPF Instrumentation version 0.9.0. The patch corrects the fallback path so the payload length is bounded by the 256-byte backup buffer capacity. Review the GitHub Security Advisory GHSA-r6c9-g6q5-qrf9 for the complete remediation notice.
Workarounds
- No official workaround exists; upgrading to version 0.9.0 is the recommended path
- If immediate upgrade is not feasible, disable OBI instrumentation on hosts handling sensitive workloads
- Apply egress filtering on telemetry pipelines to scrub or block payloads exceeding expected size bounds
# Upgrade OBI to the patched release
go get github.com/open-telemetry/opentelemetry-ebpf-instrumentation@v0.9.0
# Verify deployed version
obi --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
