Skip to main content

OpenTelemetry OBI CVE-2026-45680

| EUVDEUVD-2026-33954 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-18 https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation GHSA-89c6-vpcj-7vj4
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 20:32 vuln.today
Analysis Generated
May 18, 2026 - 20:32 vuln.today

DescriptionGitHub Advisory

Summary

OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval.

Details

The vulnerable loop is in pkg/export/prom/prom_bpf.go. During each metrics tick, OBI iterates through probeMetrics and then executes for range metric.count, invoking BpfProbeLatency(...) for each individual recorded hit.

The count comes from calculateStats() in the same file, where deltaCount := bp.runCount - bp.prevRunCount is calculated and returned without any cap before the per-hit replay loop.

If probe activity spikes between scrape intervals, deltaCount can be very large. The exporter then spends CPU time proportional to the number of probe hits rather than the number of metric series.

PoC

Local testing with a small reproducer confirmed the replay-loop behavior and showed CPU scaling with the recorded hit count rather than the number of metric series.

Use a vulnerable build and enable internal metrics export:

bash
git checkout v0.0.0-rc.1+build
make build
export OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT=9090
sudo ./bin/obi

Create a high-rate workload that repeatedly exercises traced probes. For example, generate HTTP traffic against an instrumented service:

bash
python3 -m http.server 18081

Then drive it:

bash
seq 1 500000 | xargs -P 128 -I{} curl -s http://127.0.0.1:18081 >/dev/null

At the same time, scrape metrics repeatedly:

bash
while true; do curl -s http://127.0.0.1:9090/metrics >/dev/null; done

On a vulnerable build, OBI CPU consumption rises sharply during the metrics loop because histogram updates are replayed once per counted probe execution. The effect is visible in top or pidstat and is most pronounced under sustained high request volume.

Impact

This is an availability issue in the internal metrics path. Any deployment that enables BPF internal metrics and traces busy workloads is affected. Attackers can indirectly consume CPU in the privileged agent by driving enough activity through instrumented services.

AnalysisAI

CPU exhaustion in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to indirectly cause availability degradation of the privileged monitoring agent by generating high-volume traffic through instrumented services. The internal Prometheus metrics exporter replays BPF probe hits in a tight loop proportional to the raw hit count rather than the number of metric series, creating unbounded CPU work per collection interval. A proof-of-concept reproducer has been confirmed and published in the GitHub Security Advisory (GHSA-89c6-vpcj-7vj4); no public exploit identified at time of analysis beyond the PoC.

Technical ContextAI

OBI (the OpenTelemetry eBPF Instrumentation agent) uses eBPF probes to instrument kernel and user-space events. The internal metrics exporter surfaces probe-level statistics as Prometheus histograms. The root cause (CWE-400: Uncontrolled Resource Consumption) resides in pkg/export/prom/prom_bpf.go lines 128-144: during each metrics tick the exporter calls calculateStats() which computes deltaCount := bp.runCount - bp.prevRunCount with no upper bound enforced before the value is consumed. The outer export loop then executes for range metric.count, invoking BpfProbeLatency(...) once per individual recorded probe hit. On a busy system where thousands or millions of probes fire between scrape intervals, the loop becomes CPU-proportional to the hit delta rather than to the number of metric series. The affected Go package is go.opentelemetry.io/obi, CPE pkg:go/go.opentelemetry.io_obi, with versions below 0.9.0 confirmed vulnerable.

RemediationAI

Upgrade the Go module go.opentelemetry.io/obi to version 0.9.0 or later, which introduces a cap on deltaCount before the per-hit replay loop, breaking the linear CPU scaling. The vendor-released patch is version 0.9.0, confirmed by the GHSA advisory at https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-89c6-vpcj-7vj4. As an immediate compensating control for deployments that cannot upgrade immediately, disable the BPF internal Prometheus metrics endpoint by unsetting or not setting OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT - this eliminates the attack surface entirely but also removes internal probe-level observability. A secondary mitigation is to rate-limit or restrict access to the internal metrics endpoint so that scrape frequency is bounded, reducing the number of times the expensive loop executes per unit time; however this does not eliminate the per-scrape CPU spike and is only a partial control. Applying kernel-level cgroup CPU quotas to the OBI process can contain blast radius but will not prevent the condition.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-45680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy