Skip to main content

OpenTelemetry OBI CVE-2026-45676

| EUVDEUVD-2026-33951 MEDIUM
Improper Input Validation (CWE-20)
2026-05-18 https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation GHSA-wp73-mwgf-4jq9
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:34 vuln.today
Analysis Generated
May 18, 2026 - 18:34 vuln.today

DescriptionGitHub Advisory

Summary

OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.

Details

matchExeSymbols iterates over sections and uses offsets/symbol names from the unvalidated fastelf context; nil section pointers or out-of-range offsets can trigger panics during dereference/slicing.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/exec/proclang_linux.go#L133-L165

GetCStringUnsafe and ReadStruct perform unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets derived from ELF data, enabling panics on malformed input.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L201-L213

NewElfContextFromData trusts Shoff/Shnum/Phnum from the ELF header, converting them to int and populating sections/segments without validating offsets or ensuring ReadStruct returned non-nil.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L271-L296

Malformed ELF metadata can therefore crash OBI during normal process discovery.

PoC

Local testing confirms the parser panic path on the vulnerable release, but one caveat is worth noting: rerunning a previously captured malformed-ELF PoC directly against the current checkout did not reproduce the original crash. That means the parser has drifted since the vulnerable release, so reproduction should be performed against the affected release tag or commit range rather than assuming current HEAD still panics in exactly the same way.

Use a vulnerable build:

bash
git checkout v0.0.0-rc.1+build
make build

Create a small valid ELF and then corrupt its section-header metadata:

bash
cat >/tmp/hello.c <<'EOF'
int main(void) { return 0; }
EOF
cc -o /tmp/hello /tmp/hello.c
cp /tmp/hello /tmp/hello-bad
printf '\xff\xff' | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notrunc

Run the malformed executable so OBI inspects it during process discovery:

bash
chmod +x /tmp/hello-bad
/tmp/hello-bad &

Start OBI or trigger a rescan of processes:

bash
sudo ./bin/obi

On a vulnerable build, OBI can panic while parsing the malformed ELF. If the first corruption does not hit the exact fragile path on your architecture, alter section-name or symbol-table offsets instead; the root issue is the lack of defensive validation before GetCStringUnsafe and related section lookups.

Impact

This is a local denial of service against the telemetry agent. Any local tenant or process owner able to execute a malformed binary on a monitored host can crash OBI and interrupt observability for other workloads.

AnalysisAI

OBI's custom fastelf ELF parser in opentelemetry-ebpf-instrumentation crashes when processing malformed ELF binaries during routine process discovery on Linux hosts. Local users with standard execution rights can place or run a binary with corrupted section-header fields (Shoff, Shnum, or string-table offsets), causing the agent to panic inside matchExeSymbols, GetCStringUnsafe, or ReadStruct and terminate entirely. No public widespread exploitation has been identified and this is not listed in CISA KEV, but a PoC is confirmed in the GitHub Security Advisory (GHSA-wp73-mwgf-4jq9); the practical impact is a loss of observability for all workloads on the affected host.

Technical ContextAI

OBI (OpenTelemetry eBPF Instrumentation) uses a custom Go ELF parser called fastelf (pkg/internal/fastelf/fastelf.go) as a performance-oriented replacement for the standard library parser. On Linux, ELF (Executable and Linkable Format) headers embed offsets (Shoff), section counts (Shnum/Phnum), and string-table pointers that describe how the binary is laid out. NewElfContextFromData blindly converts these header values to int and uses them to populate section/segment slices without bounds-checking against the actual buffer length. Downstream, GetCStringUnsafe performs raw slice indexing and ReadStruct performs unsafe pointer conversion using these attacker-controlled offsets. matchExeSymbols in pkg/internal/exec/proclang_linux.go then iterates these unvalidated section pointers - a nil pointer or out-of-range offset causes an unrecovered Go panic. CWE-20 (Improper Input Validation) is the exact root cause: ELF header fields are attacker-controlled data from the filesystem and must be validated before use in memory operations. Affected package: pkg:go/go.opentelemetry.io_obi, versions prior to 0.9.0.

RemediationAI

The primary fix is to upgrade the go.opentelemetry.io/obi Go package to version 0.9.0, which is the vendor-released patch confirmed in advisory GHSA-wp73-mwgf-4jq9. Update go.mod accordingly and rebuild any binaries embedding OBI. If an immediate upgrade is not feasible, the most effective compensating control is restricting which users can execute arbitrary binaries on hosts running OBI - for example, enforcing mandatory access control profiles via SELinux or AppArmor to limit binary execution to trusted paths. This directly reduces the attacker's ability to introduce a malformed ELF into OBI's process discovery scope. Note that tightening execution restrictions may break legitimate workloads that rely on running ad-hoc binaries, so test carefully. There is no configuration flag to disable OBI's ELF inspection, as it is core to process language detection during instrumentation. Advisory reference: https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-wp73-mwgf-4jq9.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-45676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy