CVE-2026-45684: OpenTelemetry eBPF Buffer Overflow Flaw

CVE-2026-45684 Overview

CVE-2026-45684 affects the OpenTelemetry eBPF Instrumentation (OBI) project, which provides eBPF-based instrumentation aligned with the OpenTelemetry standard. The vulnerability resides in OBI's log enricher, which mishandles writev buffers when log injection is enabled. The enricher reads only the first iovec entry while using the total iov_iter.count as the copy length. A crafted multi-segment writev call can cause OBI to read and overwrite memory beyond the first segment. Affected versions include 0.7.0 through 0.8.x, and the issue is fixed in version 0.9.0. The flaw is classified under [CWE-126] (Buffer Over-read).

Critical Impact

A local attacker with low privileges can trigger out-of-bounds memory reads and writes in the OBI log enricher, leading to limited confidentiality, integrity, and availability impact within the instrumented process context.

Affected Products

• OpenTelemetry eBPF Instrumentation (OBI) version 0.7.0
• OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.x through 0.8.x
• All Go-based deployments of opentelemetry:ebpf_instrumentation prior to 0.9.0

Discovery Timeline

• 2026-06-02 - CVE-2026-45684 published to NVD
• 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-45684

Vulnerability Analysis

The vulnerability resides in OBI's log enricher component, which intercepts and augments log output captured through writev system calls. The writev system call accepts an array of iovec structures, each describing a separate memory segment to write. OBI's enricher implementation reads data from only the first iovec entry in the array. However, the code uses the aggregate iov_iter.count value, representing the total length across all segments, as the length parameter for the copy operation. This length mismatch causes the enricher to treat memory beyond the first segment as if it belonged to a single contiguous buffer.

When log injection is enabled, the enricher subsequently overwrites memory using the same incorrect length. The result is both an out-of-bounds read and an out-of-bounds write relative to the actual first segment's boundary. The flaw is tracked under [CWE-126] and impacts the integrity of process memory adjacent to legitimate log buffers.

Root Cause

The root cause is an inconsistency between the data source and the length value used in a copy operation. The enricher logic correctly references the first iovec.iov_base and iovec.iov_len for reading data, but incorrectly substitutes iov_iter.count as the length parameter. iov_iter.count reflects the cumulative byte count across every iovec in the array, not the length of any single segment. The mismatch becomes exploitable when a caller issues a writev with multiple segments.

Attack Vector

Exploitation requires local access and the ability to invoke writev against a file descriptor handled by an instrumented process with log injection enabled. An attacker constructs a multi-segment writev call where the first iovec is short and subsequent segments inflate the total iov_iter.count. OBI then reads past the first segment and overwrites memory that the attacker did not provide as input. The vulnerability requires log injection to be active for impact to manifest.

No public proof-of-concept exploit is available. The EPSS score of 0.013% reflects low likelihood of opportunistic exploitation.

Detection Methods for CVE-2026-45684

Indicators of Compromise

• Unexpected process crashes or memory corruption symptoms in services instrumented with OBI versions 0.7.0 through 0.8.x
• Anomalous writev system call patterns with unusually short first iovec segments followed by larger segments in instrumented workloads
• Log enricher output containing fragments of unrelated process memory or malformed log records

Detection Strategies

• Inventory all deployments of opentelemetry:ebpf_instrumentation and confirm the running version using obi --version or container image tags
• Audit configuration for the log injection feature and identify processes where the enricher is active
• Review eBPF tracepoint logs for repeated invocations of writev with multi-segment payloads against instrumented file descriptors

Monitoring Recommendations

• Track OBI binary versions across Kubernetes clusters and bare-metal hosts through software bill of materials (SBOM) tooling
• Forward OBI service logs to a centralized logging platform and alert on parser errors, truncated records, or unexpected byte sequences
• Monitor host-level memory and stability metrics for processes running OBI-enriched workloads

How to Mitigate CVE-2026-45684

Immediate Actions Required

• Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later across all environments
• If immediate upgrade is not feasible, disable the log injection feature in OBI configuration until patching is complete
• Restrict local access to hosts running OBI to trusted operators only and review existing service accounts with writev access to instrumented descriptors

Patch Information

The issue is patched in OpenTelemetry eBPF Instrumentation version 0.9.0. Release notes and the fix are available in the GitHub Release v0.9.0. The vendor advisory is published as GitHub Security Advisory GHSA-vvmg-8mjr-g6q3.

Workarounds

• Disable log injection in the OBI configuration to prevent the vulnerable overwrite path from executing
• Limit which workloads OBI instruments by tightening discovery selectors and excluding untrusted processes
• Apply Linux capability restrictions and seccomp profiles to reduce the set of processes able to issue arbitrary writev calls against instrumented descriptors

# Upgrade OBI to the patched release
# Example for container deployments
docker pull ghcr.io/open-telemetry/opentelemetry-ebpf-instrumentation:v0.9.0

# Verify the running version
obi --version

# Temporary workaround: disable log injection in OBI configuration
# (refer to the official OBI configuration reference for the exact key)
OTEL_EBPF_LOG_INJECTION=false