Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/open-telemetry/opentelemetry-go) · only source for this CVE.
CVSS VectorVendor: https://github.com/open-telemetry/opentelemetry-go
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. The severity is low because exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path.
Introduced in commit: e72a235
Details
In schema/v1.0/parser.go:41-47, ParseFile opens the requested schema path with os.Open and then returns Parse(file) without a defer file.Close() or other close path:
file, err := os.Open(schemaFilePath)
if err != nil {
return nil, err
}
return Parse(file)The validation evidence also identifies schema/v1.0/parser.go:50-73: Parse accepts an io.Reader, decodes from it, and does not close it. Ownership of the opened file is therefore not transferred to Parse, leaving the descriptor open until the Go runtime eventually finalizes the file object. With repeated ParseFile calls, descriptors can accumulate until the process receives EMFILE / "too many open files".
PoC
The local artifact validation-artifact.zip contains:
leak_poc.go: PoC source that repeatedly callsschema.ParseFile("schema/v1.0/testdata/valid-example.yaml")and prints/proc/self/fdcounts.LEAK_POC_README.txt: reproduction notes.leak_poc_run.log: captured attempted run; the local offline environment failed before execution because Go module download fromproxy.golang.orgwas forbidden.
Reproduce from the root of a checkout of pellared/opentelemetry-go at commit e72a235 with Go module dependencies already available:
/bin/sh -c 'ulimit -n 256; GOGC=off go run leak_poc.go'Configuration:
- File descriptor soft limit:
256 - Garbage collection: disabled with
GOGC=offso leaked descriptors are not reclaimed during the loop - Schema file:
schema/v1.0/testdata/valid-example.yaml
Expected output is increasing descriptor counts followed by an EMFILE failure, for example:
iter 0 fds 7
iter 50 fds 57
iter 100 fds 107
...
panic: iteration 248: open schema/v1.0/testdata/valid-example.yaml: too many open filesThe exact initial descriptor count and failing iteration can vary by OS and process state.
Impact
This is a file descriptor resource leak leading to availability loss. Applications that call schema.ParseFile repeatedly, especially through a runtime reload or request-controlled path, can exhaust their process file descriptor table and fail subsequent file, socket, or other descriptor operations. Impact is limited to denial of service of the consuming process; the evidence does not show confidentiality or integrity impact.
AnalysisAI
File descriptor exhaustion in go.opentelemetry.io/otel/schema v1.0 and v1.1 enables denial of service against long-running Go processes. The ParseFile function in schema/v1.0/parser.go opens schema files via os.Open but never closes them - neither via defer nor by transferring ownership to the downstream Parse(io.Reader) call - leaving descriptors open until the Go garbage collector finalizes the file object. Publicly available exploit code exists demonstrating that repeated ParseFile calls accumulate leaked descriptors until the process receives EMFILE ('too many open files'), disrupting all subsequent file, socket, and descriptor operations. Exploitation is contingent on an application exposing ParseFile invocation to attacker-controlled or attacker-triggered paths.
Technical ContextAI
The affected packages are go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1, both at versions <= 0.0.16 (CPE: pkg:go/go.opentelemetry.io_otel_schema_v1.0 and pkg:go/go.opentelemetry.io_otel_schema_v1.1). The root cause maps to CWE-772 (Missing Release of Resource after Effective Lifetime). In schema/v1.0/parser.go lines 41-47, ParseFile calls os.Open to obtain a *os.File, then immediately returns Parse(file) - a function that accepts only an io.Reader interface and has no mechanism to close the underlying file. Because Parse receives an interface value (not ownership of the file descriptor), and no defer file.Close() or explicit close path exists in ParseFile, the descriptor remains open until the Go runtime GC finalizes the *os.File object. Under normal GC cadence this may be tolerable, but with GOGC=off or under memory pressure where GC is infrequent, descriptors accumulate rapidly. The bug was introduced in commit e72a235 of the opentelemetry-go repository.
RemediationAI
Upgrade both go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 to version 0.0.17, which is the vendor-released patch per the GitHub advisory at https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m. Run 'go get go.opentelemetry.io/otel/schema@v0.0.17' and update go.sum accordingly. If upgrading immediately is not possible, the primary compensating control is to ensure ParseFile is never called on a hot path or in response to external input - restrict schema parsing to startup-time initialization only, so descriptors are bounded and effectively static for the process lifetime. This eliminates the accumulation vector without code changes, but the trade-off is loss of runtime schema reloading capability. Raising the OS file descriptor limit (ulimit -n) delays but does not prevent exhaustion and is not a viable long-term workaround for high-throughput applications.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34291
GHSA-995v-fvrw-c78m