Which versions of Red Hat are affected by CVE-2026-39883?

OpenTelemetry Go SDK contains a command injection vulnerability affecting BSD and Solaris deployments that allows local attackers to execute arbitrary code during application startup by exploiting…. A patch is available.

Is there a public PoC exploit available for CVE-2026-39883?

Yes, a public proof-of-concept exploit is available for CVE-2026-39883. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-39883?

Within 24 hours: Audit inventory of deployed OpenTelemetry Go SDK versions across BSD and Solaris systems; identify all applications using affected versions. Within 7 days: Implement compensating controls on all at-risk systems (see mitigation section); restrict local user access to application runtime directories and enforce strict PATH environment variable controls. Within 30 days: Monitor vendor advisories for patch release; establish upgrade plan and test patched versions in non-production environments before production deployment.

Red Hat CVE-2026-39883

Q: What is the CVSS score of CVE-2026-39883?

CVE-2026-39883 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-20630 HIGH

Untrusted Search Path (CWE-426)

2026-04-08 https://github.com/open-telemetry/opentelemetry-go

GHSA-hfvc-g4fc-pqhx

RCE Red Hat

7.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Red Hat

8.8 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 09, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 08, 2026 - 19:31 euvd

EUVD-2026-20630

Analysis Generated

Apr 08, 2026 - 19:31 vuln.today

CVE Published

Apr 08, 2026 - 19:22 nvd

HIGH 7.3

DescriptionGitHub Advisory

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
Attacker places a malicious kenv binary earlier in $PATH
Application initializes OpenTelemetry resource detection at startup
hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

AnalysisAI

Command injection in OpenTelemetry Go SDK allows local attackers to execute arbitrary code by placing malicious kenv binary in PATH on BSD and Solaris systems. Vulnerability occurs during resource detection initialization when application resolves bare command name instead of absolute path. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Modify PATH environment variable

Exploit

Place malicious kenv binary

Execution

Trigger host_id.go execution

Impact

Execute arbitrary code with elevated privileges