CVE-2026-45682 Overview
CVE-2026-45682 is a memory leak vulnerability in OpenTelemetry eBPF Instrumentation, a project that provides eBPF-based instrumentation aligned with the OpenTelemetry standard. The flaw resides in the custom CappedConcurrentHashMap used for Java TLS state tracking. When entries are deleted, the implementation never removes the associated keys from its insertion-order queue. Long-running instrumented Java Virtual Machines (JVMs) with frequent connection churn can therefore grow the queue without bound and exhaust heap memory. The issue is patched in version 0.9.0 and is tracked under [CWE-401] Missing Release of Memory after Effective Lifetime.
Critical Impact
A local attacker with low privileges can trigger heap exhaustion in instrumented JVMs, leading to denial of service of the monitored application.
Affected Products
- OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
- Go-based distributions of opentelemetry:ebpf_instrumentation
- Instrumented Java workloads relying on TLS state tracking
Discovery Timeline
- 2026-06-02 - CVE-2026-45682 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45682
Vulnerability Analysis
The vulnerability resides in CappedConcurrentHashMap, a custom data structure introduced to bound the size of the Java TLS state-tracking cache. The structure pairs a concurrent hash map with an auxiliary insertion-order queue that determines which entries to evict once a capacity threshold is reached. The implementation removes evicted entries from the map but does not remove their keys from the queue when deletions occur outside the standard eviction path. The queue therefore retains references to keys whose values have already been removed, preventing garbage collection and growing unbounded over time.
In workloads with frequent TLS connection setup and teardown, every short-lived connection contributes additional entries to the queue. The instrumented JVM eventually exhausts heap memory and triggers OutOfMemoryError, halting the monitored application. The defect is classified under [CWE-401] Missing Release of Memory after Effective Lifetime.
Root Cause
The root cause is incomplete cleanup logic in the CappedConcurrentHashMap deletion path. Keys remain pinned in the insertion-order queue even after the corresponding map entries are removed. Connection churn amplifies the leak because each new TLS session generates a fresh key that is never released.
Attack Vector
Exploitation requires local access with low privileges on a host running an instrumented JVM. An adversary, or a noisy application workload, can drive sustained TLS connection churn against the monitored Java process. Because no user interaction is required and the integrity and confidentiality of data are not affected, the impact is limited to availability through memory exhaustion. See the GitHub Security Advisory GHSA-962q-hwm5-52x5 for additional technical detail.
No verified public exploit code or proof-of-concept is available for CVE-2026-45682.
Detection Methods for CVE-2026-45682
Indicators of Compromise
- Steady, monotonic growth of resident heap memory in JVMs instrumented with opentelemetry-ebpf-instrumentation versions earlier than 0.9.0.
- Repeated java.lang.OutOfMemoryError: Java heap space events in instrumented services without a corresponding application-level cause.
- Heap dumps showing large retained sets rooted in CappedConcurrentHashMap insertion-order queue structures.
Detection Strategies
- Inventory all hosts running OpenTelemetry eBPF Instrumentation and compare deployed versions against v0.9.0.
- Correlate JVM garbage collection metrics with TLS connection rate to identify processes where heap growth tracks connection churn.
- Trigger periodic heap histograms (jcmd <pid> GC.class_histogram) on instrumented JVMs and flag growth of the CappedConcurrentHashMap internal queue type.
Monitoring Recommendations
- Alert on JVM old-generation heap usage trending above 80% for sustained periods on instrumented hosts.
- Track full garbage collection frequency and duration on monitored Java services and alert on regressions following deployment of the instrumentation agent.
- Aggregate OutOfMemoryError and JVM crash signals into a central log platform and pivot on the ebpf_instrumentation component label.
How to Mitigate CVE-2026-45682
Immediate Actions Required
- Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later on all monitored hosts.
- Restart any long-running instrumented JVMs to clear accumulated state from the prior vulnerable build.
- Restrict local access to hosts running instrumented JVMs so only trusted operators and workloads can interact with them.
Patch Information
The maintainers fixed the unbounded queue growth in version 0.9.0 by ensuring deletions from CappedConcurrentHashMap also remove the associated key from the insertion-order queue. Patch details and release notes are available in the GitHub Release v0.9.0 and the GitHub Security Advisory GHSA-962q-hwm5-52x5.
Workarounds
- Schedule periodic restarts of instrumented JVMs to reclaim heap memory until the patch is deployed.
- Temporarily disable Java TLS state tracking in the instrumentation configuration if business requirements permit, removing the affected code path.
- Raise JVM maximum heap size (-Xmx) as a short-term buffer, recognizing this only delays exhaustion rather than eliminating it.
# Upgrade example using Go module tooling
go get github.com/open-telemetry/opentelemetry-ebpf-instrumentation@v0.9.0
go mod tidy
# Verify the resolved version
go list -m github.com/open-telemetry/opentelemetry-ebpf-instrumentation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
