Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.
Details
matchExeSymbols iterates over sections and uses offsets/symbol names from the unvalidated fastelf context; nil section pointers or out-of-range offsets can trigger panics during dereference/slicing.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/exec/proclang_linux.go#L133-L165
GetCStringUnsafe and ReadStruct perform unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets derived from ELF data, enabling panics on malformed input.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L201-L213
NewElfContextFromData trusts Shoff/Shnum/Phnum from the ELF header, converting them to int and populating sections/segments without validating offsets or ensuring ReadStruct returned non-nil.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L271-L296
Malformed ELF metadata can therefore crash OBI during normal process discovery.
PoC
Local testing confirms the parser panic path on the vulnerable release, but one caveat is worth noting: rerunning a previously captured malformed-ELF PoC directly against the current checkout did not reproduce the original crash. That means the parser has drifted since the vulnerable release, so reproduction should be performed against the affected release tag or commit range rather than assuming current HEAD still panics in exactly the same way.
Use a vulnerable build:
git checkout v0.0.0-rc.1+build
make buildCreate a small valid ELF and then corrupt its section-header metadata:
cat >/tmp/hello.c <<'EOF'
int main(void) { return 0; }
EOF
cc -o /tmp/hello /tmp/hello.c
cp /tmp/hello /tmp/hello-bad
printf '\xff\xff' | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notruncRun the malformed executable so OBI inspects it during process discovery:
chmod +x /tmp/hello-bad
/tmp/hello-bad &Start OBI or trigger a rescan of processes:
sudo ./bin/obiOn a vulnerable build, OBI can panic while parsing the malformed ELF. If the first corruption does not hit the exact fragile path on your architecture, alter section-name or symbol-table offsets instead; the root issue is the lack of defensive validation before GetCStringUnsafe and related section lookups.
Impact
This is a local denial of service against the telemetry agent. Any local tenant or process owner able to execute a malformed binary on a monitored host can crash OBI and interrupt observability for other workloads.
AnalysisAI
OBI's custom fastelf ELF parser in opentelemetry-ebpf-instrumentation crashes when processing malformed ELF binaries during routine process discovery on Linux hosts. Local users with standard execution rights can place or run a binary with corrupted section-header fields (Shoff, Shnum, or string-table offsets), causing the agent to panic inside matchExeSymbols, GetCStringUnsafe, or ReadStruct and terminate entirely. No public widespread exploitation has been identified and this is not listed in CISA KEV, but a PoC is confirmed in the GitHub Security Advisory (GHSA-wp73-mwgf-4jq9); the practical impact is a loss of observability for all workloads on the affected host.
Technical ContextAI
OBI (OpenTelemetry eBPF Instrumentation) uses a custom Go ELF parser called fastelf (pkg/internal/fastelf/fastelf.go) as a performance-oriented replacement for the standard library parser. On Linux, ELF (Executable and Linkable Format) headers embed offsets (Shoff), section counts (Shnum/Phnum), and string-table pointers that describe how the binary is laid out. NewElfContextFromData blindly converts these header values to int and uses them to populate section/segment slices without bounds-checking against the actual buffer length. Downstream, GetCStringUnsafe performs raw slice indexing and ReadStruct performs unsafe pointer conversion using these attacker-controlled offsets. matchExeSymbols in pkg/internal/exec/proclang_linux.go then iterates these unvalidated section pointers - a nil pointer or out-of-range offset causes an unrecovered Go panic. CWE-20 (Improper Input Validation) is the exact root cause: ELF header fields are attacker-controlled data from the filesystem and must be validated before use in memory operations. Affected package: pkg:go/go.opentelemetry.io_obi, versions prior to 0.9.0.
RemediationAI
The primary fix is to upgrade the go.opentelemetry.io/obi Go package to version 0.9.0, which is the vendor-released patch confirmed in advisory GHSA-wp73-mwgf-4jq9. Update go.mod accordingly and rebuild any binaries embedding OBI. If an immediate upgrade is not feasible, the most effective compensating control is restricting which users can execute arbitrary binaries on hosts running OBI - for example, enforcing mandatory access control profiles via SELinux or AppArmor to limit binary execution to trusted paths. This directly reduces the attacker's ability to introduce a malformed ELF into OBI's process discovery scope. Note that tightening execution restrictions may break legitimate workloads that rely on running ad-hoc binaries, so test carefully. There is no configuration flag to disable OBI's ELF inspection, as it is core to process language detection during instrumentation. Advisory reference: https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-wp73-mwgf-4jq9.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33951
GHSA-wp73-mwgf-4jq9