CVE-2026-45683 Overview
CVE-2026-45683 affects OpenTelemetry eBPF Instrumentation (OBI), a library that provides extended Berkeley Packet Filter (eBPF) instrumentation based on the OpenTelemetry standard. The Java Transport Layer Security (TLS) ioctl probe reads user-controlled ioctl pointers using bpf_probe_read instead of bpf_probe_read_user. An instrumented local process can redirect OBI to read kernel memory and have that data copied into telemetry output. The flaw is classified under CWE-127: Buffer Under-read. Maintainers addressed the issue in version 0.9.0.
Critical Impact
A local, low-privileged process can leverage the unsafe eBPF helper to leak kernel memory contents through OpenTelemetry traces.
Affected Products
- OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0
- Go-based OBI distributions (cpe:2.3:a:opentelemetry:ebpf_instrumentation:*:*:*:*:*:go:*:*)
- Deployments using the Java TLS ioctl probe for instrumented workloads
Discovery Timeline
- 2026-06-02 - CVE-2026-45683 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45683
Vulnerability Analysis
OpenTelemetry eBPF Instrumentation attaches eBPF programs to trace TLS operations performed by Java processes. The Java TLS probe inspects ioctl system call arguments to extract TLS context. To read the pointer arguments supplied by user space, the probe invokes bpf_probe_read. This helper does not distinguish between kernel and user address spaces. When supplied with a kernel virtual address, it dereferences kernel memory and returns the contents to the eBPF program. The instrumentation then forwards those bytes into telemetry spans. A local attacker who controls the ioctl arguments of an instrumented process can therefore harvest arbitrary kernel memory through OpenTelemetry output. The correct helper, bpf_probe_read_user, enforces user-space-only reads and would prevent the cross-boundary access.
Root Cause
The root cause is the use of the address-space-agnostic helper bpf_probe_read to dereference attacker-controlled pointers originating from user space. Newer kernels expose bpf_probe_read_user and bpf_probe_read_kernel specifically to separate these domains. By calling the unsafe variant, the probe trusts the caller-supplied pointer to be a user address and reads whatever the kernel happens to map at that location.
Attack Vector
Exploitation requires local access and the ability to run code inside a process that OBI is instrumenting. The attacker crafts ioctl calls with pointer arguments that resolve to kernel addresses of interest. The Java TLS probe fires, copies the targeted kernel memory into eBPF maps, and OBI exports the bytes via telemetry. The scope change reflects that the disclosure crosses a privilege boundary from the unprivileged process into kernel memory captured by a privileged collector.
No verified exploitation code is publicly available. Refer to the GitHub Security Advisory GHSA-fjq3-ffvr-vm46 for maintainer-provided technical details.
Detection Methods for CVE-2026-45683
Indicators of Compromise
- Telemetry spans from OBI containing unexpected binary blobs, kernel pointers, or strings resembling kernel structures rather than TLS metadata.
- Instrumented Java processes issuing high volumes of ioctl calls with unusual pointer arguments.
- Deployment of opentelemetry-ebpf-instrumentation at versions earlier than 0.9.0.
Detection Strategies
- Inventory eBPF-based observability agents and flag any OBI installation with a version below 0.9.0.
- Inspect OpenTelemetry collector exports for trace attributes from the Java TLS probe that contain non-printable or non-TLS byte sequences.
- Audit eBPF programs loaded on hosts for use of bpf_probe_read against user-supplied pointer arguments in TLS-related probes.
Monitoring Recommendations
- Forward OBI telemetry and host eBPF load events to a central logging or SIEM platform for retention and anomaly review.
- Alert on local processes invoking ioctl with pointer values outside expected user-space ranges on hosts running vulnerable OBI builds.
- Track package versions of opentelemetry:ebpf_instrumentation across the fleet to confirm patch coverage.
How to Mitigate CVE-2026-45683
Immediate Actions Required
- Upgrade all OpenTelemetry eBPF Instrumentation deployments to version 0.9.0 or later.
- Identify hosts running vulnerable OBI builds and prioritize systems that instrument Java workloads using the TLS ioctl probe.
- Restrict which local users and service accounts can execute code inside instrumented Java processes.
Patch Information
The maintainers fixed the issue by replacing bpf_probe_read with bpf_probe_read_user in the Java TLS ioctl probe. The fix ships in OpenTelemetry eBPF Instrumentation v0.9.0. Operators should pull the updated container image or Go module and redeploy the OBI agent. Full remediation context is available in the GitHub Security Advisory GHSA-fjq3-ffvr-vm46.
Workarounds
- Disable the Java TLS ioctl probe in OBI configuration until the agent is upgraded.
- Limit OBI instrumentation to trusted workloads where no untrusted local code executes inside instrumented processes.
- Reduce export of raw probe payloads in the OpenTelemetry collector pipeline to limit downstream exposure of any leaked bytes.
# Upgrade the OBI agent to a patched release
go install github.com/open-telemetry/opentelemetry-ebpf-instrumentation@v0.9.0
# Or pull the patched container image and redeploy
docker pull ghcr.io/open-telemetry/opentelemetry-ebpf-instrumentation:v0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
