Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval.
Details
The vulnerable loop is in pkg/export/prom/prom_bpf.go. During each metrics tick, OBI iterates through probeMetrics and then executes for range metric.count, invoking BpfProbeLatency(...) for each individual recorded hit.
The count comes from calculateStats() in the same file, where deltaCount := bp.runCount - bp.prevRunCount is calculated and returned without any cap before the per-hit replay loop.
If probe activity spikes between scrape intervals, deltaCount can be very large. The exporter then spends CPU time proportional to the number of probe hits rather than the number of metric series.
PoC
Local testing with a small reproducer confirmed the replay-loop behavior and showed CPU scaling with the recorded hit count rather than the number of metric series.
Use a vulnerable build and enable internal metrics export:
git checkout v0.0.0-rc.1+build
make build
export OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT=9090
sudo ./bin/obiCreate a high-rate workload that repeatedly exercises traced probes. For example, generate HTTP traffic against an instrumented service:
python3 -m http.server 18081Then drive it:
seq 1 500000 | xargs -P 128 -I{} curl -s http://127.0.0.1:18081 >/dev/nullAt the same time, scrape metrics repeatedly:
while true; do curl -s http://127.0.0.1:9090/metrics >/dev/null; doneOn a vulnerable build, OBI CPU consumption rises sharply during the metrics loop because histogram updates are replayed once per counted probe execution. The effect is visible in top or pidstat and is most pronounced under sustained high request volume.
Impact
This is an availability issue in the internal metrics path. Any deployment that enables BPF internal metrics and traces busy workloads is affected. Attackers can indirectly consume CPU in the privileged agent by driving enough activity through instrumented services.
AnalysisAI
CPU exhaustion in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to indirectly cause availability degradation of the privileged monitoring agent by generating high-volume traffic through instrumented services. The internal Prometheus metrics exporter replays BPF probe hits in a tight loop proportional to the raw hit count rather than the number of metric series, creating unbounded CPU work per collection interval. A proof-of-concept reproducer has been confirmed and published in the GitHub Security Advisory (GHSA-89c6-vpcj-7vj4); no public exploit identified at time of analysis beyond the PoC.
Technical ContextAI
OBI (the OpenTelemetry eBPF Instrumentation agent) uses eBPF probes to instrument kernel and user-space events. The internal metrics exporter surfaces probe-level statistics as Prometheus histograms. The root cause (CWE-400: Uncontrolled Resource Consumption) resides in pkg/export/prom/prom_bpf.go lines 128-144: during each metrics tick the exporter calls calculateStats() which computes deltaCount := bp.runCount - bp.prevRunCount with no upper bound enforced before the value is consumed. The outer export loop then executes for range metric.count, invoking BpfProbeLatency(...) once per individual recorded probe hit. On a busy system where thousands or millions of probes fire between scrape intervals, the loop becomes CPU-proportional to the hit delta rather than to the number of metric series. The affected Go package is go.opentelemetry.io/obi, CPE pkg:go/go.opentelemetry.io_obi, with versions below 0.9.0 confirmed vulnerable.
RemediationAI
Upgrade the Go module go.opentelemetry.io/obi to version 0.9.0 or later, which introduces a cap on deltaCount before the per-hit replay loop, breaking the linear CPU scaling. The vendor-released patch is version 0.9.0, confirmed by the GHSA advisory at https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-89c6-vpcj-7vj4. As an immediate compensating control for deployments that cannot upgrade immediately, disable the BPF internal Prometheus metrics endpoint by unsetting or not setting OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT - this eliminates the attack surface entirely but also removes internal probe-level observability. A secondary mitigation is to rate-limit or restrict access to the internal metrics endpoint so that scrape frequency is bounded, reducing the number of times the expensive loop executes per unit time; however this does not eliminate the per-scrape CPU spike and is only a partial control. Applying kernel-level cgroup CPU quotas to the OBI process can contain blast radius but will not prevent the condition.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33954
GHSA-89c6-vpcj-7vj4