Skip to main content

OpenTelemetry eBPF CVE-2026-45681

| EUVDEUVD-2026-33955 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-18 https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation GHSA-r6c9-g6q5-qrf9
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 20:32 vuln.today
Analysis Generated
May 18, 2026 - 20:32 vuln.today

DescriptionGitHub Advisory

Summary

The per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read beyond the fallback buffer and leak adjacent memory into telemetry.

Details

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/http_buf_size.h#L4-L7

k_kprobes_http2_buf_size is defined as 256 bytes, the size of the fallback buffer.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/msg_buffer.h#L12-L36

Introduces 8KB per-CPU buffer and 256-byte fallback_buf in msg_buffer_t, creating a size mismatch for fallback use.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/k_tracer.c#L370-L394

On CPU mismatch, fallback_buf is used but size is still set to m_buf->real_size (up to 8KB) and passed downstream.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/protocol_http.h#L412-L441

bytes_len (from m_buf->real_size) is used to read payload data from u_buf; if u_buf is the 256B fallback, this can over-read and leak memory into telemetry.

https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/tpinjector/tpinjector.c#L192-L206

real_size is set up to 8192 bytes and stored with cpu_id; fallback_buf only contains 256 bytes.

PoC

Local testing with an AddressSanitizer user-space PoC reproduced the same class of size-mismatch over-read as the vulnerable fallback-buffer path. That result is sufficient to ground the advisory in a fresh local reproduction even though the exact end-to-end eBPF path still depends on host BPF capabilities.

To reproduce the validated behavior locally:

  1. create a struct that models fallback_buf[256] and real_size
  2. populate only the 256-byte fallback buffer
  3. simulate the CPU mismatch path by using the fallback buffer as the source pointer while preserving a much larger real_size
  4. perform a read of real_size bytes from that 256-byte backing store under ASan

An equivalent reproducer is:

c
// save as /tmp/poc_msgbuf_oob.c
#include <stdint.h>
#include <stdio.h>
#include <string.h>

struct msg_buffer {
  unsigned char fallback_buf[256];
  uint16_t pos;
  uint16_t real_size;
  uint32_t cpu_id;
};

int main(void) {
  struct msg_buffer m = {0};
  unsigned char sink[8192];

  memset(m.fallback_buf, 'A', sizeof(m.fallback_buf));
  m.real_size = 4096;

  memcpy(sink, m.fallback_buf, m.real_size);
  printf("copied %u bytes from a 256-byte fallback buffer\n", m.real_size);
  return 0;
}

Compile and run with ASan:

bash
cc -fsanitize=address -O1 -g -o /tmp/poc_msgbuf_oob /tmp/poc_msgbuf_oob.c
ASAN_OPTIONS=abort_on_error=1 /tmp/poc_msgbuf_oob

Expected result:

text
AddressSanitizer: heap-buffer-overflow or stack-buffer-overflow

That user-space PoC matches the size-mismatch condition in the vulnerable code path, even though the exact end-to-end eBPF runtime path still requires host BPF attach/load capability.

Impact

This is a confidentiality issue in the HTTP tracing path. The vulnerable read occurs in OBI's local fallback-buffer handling when context propagation is enabled, the tpinjector sock_msg path is active, HTTP large-buffer capture is configured with a non-zero size, and a CPU mismatch occurs between producer and consumer contexts. Under those conditions, OBI can over-read from the fallback buffer and export unrelated memory through telemetry.

AnalysisAI

Out-of-bounds memory read in OpenTelemetry eBPF Instrumentation (OBI) prior to 0.9.0 exposes adjacent kernel memory through the HTTP tracing telemetry pipeline. The vulnerable path arises in the per-CPU message-buffer fallback logic in k_tracer.c and protocol_http.h: when a CPU mismatch occurs between producer and consumer contexts, OBI substitutes the 256-byte fallback_buf as the source buffer while retaining real_size values of up to 8KB, causing an over-read of up to 7,936 bytes of adjacent memory that is subsequently exported in telemetry. No public exploit identified at time of analysis, though publicly available exploit code exists as a validated user-space AddressSanitizer PoC demonstrating the same size-mismatch over-read class.

Technical ContextAI

OBI is a Go-based eBPF instrumentation agent (pkg:go/go.opentelemetry.io/obi) that instruments HTTP and HTTP2 traffic via kernel probes and socket message hooks. The msg_buffer_t struct (bpf/common/msg_buffer.h) contains both an 8KB per-CPU primary buffer and a 256-byte fallback_buf. The 8KB primary buffer size is governed by k_kprobes_http2_buf_size (defined in bpf/common/http_buf_size.h), while real_size in tpinjector.c can be set to up to 8192 bytes and is stored alongside cpu_id. When the consumer's CPU ID does not match the producer's, k_tracer.c (lines 370-394) substitutes fallback_buf as the read source but does not update real_size, passing the original up-to-8KB size downstream. protocol_http.h (lines 412-441) then uses bytes_len derived from m_buf->real_size to copy payload data from u_buf, which in the mismatch case is the 256-byte fallback - resulting in a CWE-125 (Out-of-Bounds Read) of up to 7,936 bytes beyond the buffer boundary. The leaked memory is subsequently emitted through telemetry, making this a confidentiality-impacting data exfiltration path within the eBPF instrumentation layer.

RemediationAI

The primary fix is to upgrade go.opentelemetry.io/obi to version 0.9.0, which is confirmed as the patched release per GitHub Advisory GHSA-r6c9-g6q5-qrf9 (https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-r6c9-g6q5-qrf9). If immediate upgrade is not possible, the following compensating controls reduce exposure: disable context propagation in OBI configuration to prevent the tpinjector sock_msg path from activating (trade-off: distributed trace context will not be propagated across service boundaries); set HTTP large-buffer capture size to zero to prevent real_size from exceeding the fallback buffer size (trade-off: HTTP payloads larger than the base buffer will not be captured); or restrict OBI deployment to single-CPU or CPU-pinned environments where producer-consumer CPU mismatches cannot occur (trade-off: limits horizontal scalability). Any of these controls, if reliably enforced, would prevent the vulnerable code path from being reached. Note that all three configuration conditions must be active simultaneously for the vulnerability to trigger, so disabling any single one of them is sufficient as a workaround.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-45681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy