Skip to main content

OpenTelemetry eBPF Instrumentation EUVDEUVD-2026-33950

| CVE-2026-45682 MEDIUM
Memory Leak (CWE-401)
2026-05-18 https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation GHSA-962q-hwm5-52x5
5.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:11 vuln.today
Analysis Generated
May 18, 2026 - 21:11 vuln.today

DescriptionGitHub Advisory

Summary

The custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory.

Details

The vulnerable implementation is in pkg/internal/java/agent/src/main/java/io/opentelemetry/obi/java/instrumentations/util/CappedConcurrentHashMap.java#L11. New keys are appended to a ConcurrentLinkedQueue, and eviction only runs inside put() when map.size() > capacity.

The remove() method removes the key from the ConcurrentHashMap but leaves the key in the queue. Because evictIfNeeded() only checks map.size() > capacity, the queue can grow forever in workloads that insert and remove keys while keeping the live map below the cap.

This pattern is reachable from pkg/internal/java/agent/src/main/java/io/opentelemetry/obi/java/instrumentations/data/SSLStorage.java#L66, where cleanupConnectionBufMapping removes entries from bufConn and activeConnections, and removeBufferMapping removes entries from bufToBuf. In normal TLS connection lifecycles, those removals happen frequently.

PoC

Local testing with a small Java reproducer showed queue growth continuing after removals and eventually reached OutOfMemoryError, which matches the code-level leak mechanism described above.

Use a vulnerable Java agent build from v0.0.0-rc.2+build.2 or any later release that still contains the change. Start any JVM process instrumented with OBI's Java TLS support, then generate a large number of short-lived TLS handshakes.

One local reproducer is:

bash
git checkout v0.0.0-rc.2+build.2
make build

Start a simple TLS server:

bash
openssl req -x509 -newkey rsa:2048 -nodes -keyout /tmp/key.pem -out /tmp/cert.pem -subj '/CN=localhost' -days 1
openssl s_server -accept 9443 -key /tmp/key.pem -cert /tmp/cert.pem -quiet

Run an instrumented JVM client that repeatedly opens and closes TLS connections:

java
// save as /tmp/TLSChurn.java
import javax.net.ssl.*;
import java.net.Socket;

public class TLSChurn {
  public static void main(String[] args) throws Exception {
    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(null, new TrustManager[]{new X509TrustManager() {
      public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; }
      public void checkClientTrusted(java.security.cert.X509Certificate[] c, String a) {}
      public void checkServerTrusted(java.security.cert.X509Certificate[] c, String a) {}
    }}, new java.security.SecureRandom());

    SSLSocketFactory f = ctx.getSocketFactory();
    for (;;) {
      try (Socket s = f.createSocket("127.0.0.1", 9443)) {
        s.getOutputStream().write("x".getBytes());
      } catch (Exception ignored) {}
    }
  }
}

Compile and run:

bash
javac /tmp/TLSChurn.java
java TLSChurn

Attach the vulnerable OBI Java instrumentation to the JVM. Over time, heap usage in the OBI Java agent process grows even though live connection counts remain bounded. A heap dump will show large retention from ConcurrentLinkedQueue nodes owned by CappedConcurrentHashMap.

Impact

This issue causes an availability loss in instrumented Java workloads that use OBI's TLS instrumentation. Repeated connection setup and teardown can grow the retained queue until the Java helper experiences long GC pauses or exhausts heap memory with OutOfMemoryError.

AnalysisAI

Heap memory exhaustion in the OpenTelemetry eBPF Instrumentation (OBI) Java agent affects all versions prior to 0.9.0 due to a memory leak in the custom CappedConcurrentHashMap used for TLS state tracking. Repeated TLS connection setup and teardown causes the internal ConcurrentLinkedQueue to grow without bound, because remove() purges keys from the backing ConcurrentHashMap but never from the queue, and the eviction logic only fires on put() when map.size() exceeds the cap. Under sustained TLS churn - a normal workload pattern for long-running instrumented services - this leads to progressive heap growth, extended GC pauses, and eventual OutOfMemoryError in the Java agent process. A proof-of-concept reproducer is publicly available, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

The affected component is the OBI Java agent bundled within the OpenTelemetry eBPF Instrumentation project (CPE: pkg:go/go.opentelemetry.io/obi, vulnerable below 0.9.0). The agent instruments JVM TLS sessions by tracking SSL buffer-to-connection mappings in a custom bounded map, CappedConcurrentHashMap, implemented in Java. The root cause is CWE-401 (Missing Release of Memory after Effective Lifetime): the insertion-order queue (ConcurrentLinkedQueue) that supports bounded eviction retains stale key references indefinitely after remove() is called. The eviction guard - evictIfNeeded() - only checks map.size() > capacity, not queue.size(), so orphaned queue entries from removed keys are never reclaimed. The reachable code paths are SSLStorage.cleanupConnectionBufMapping() and removeBufferMapping(), both invoked on normal TLS session teardown, meaning every legitimate TLS disconnect contributes one leaked queue node. This is purely an availability issue; the CVSS vector (C:N/I:N/A:H) confirms no confidentiality or integrity impact, making the advisory tag 'Information Disclosure' inconsistent with the actual vulnerability class - that tag should be disregarded.

RemediationAI

Upgrade the OpenTelemetry eBPF Instrumentation Java agent to version 0.9.0, which contains the vendor-released patch per the GHSA-962q-hwm5-52x5 advisory. If an immediate upgrade is not feasible, the primary compensating control is to disable OBI's Java TLS instrumentation feature, eliminating the SSLStorage code paths that invoke CappedConcurrentHashMap removals; the trade-off is loss of TLS-layer observability for instrumented JVMs. Alternatively, operators can reduce memory pressure by increasing JVM heap allocation for the agent process and implementing heap monitoring with alerting on sustained growth - this does not fix the leak but extends time-to-failure and enables proactive restarts before OutOfMemoryError. Periodic agent process restarts (e.g., via a sidecar watchdog or orchestrator liveness probe) can also bound cumulative queue growth in high-churn environments as a tactical workaround. Advisory reference: https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-962q-hwm5-52x5.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-33950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy