Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read beyond the fallback buffer and leak adjacent memory into telemetry.
Details
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/http_buf_size.h#L4-L7
k_kprobes_http2_buf_size is defined as 256 bytes, the size of the fallback buffer.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/msg_buffer.h#L12-L36
Introduces 8KB per-CPU buffer and 256-byte fallback_buf in msg_buffer_t, creating a size mismatch for fallback use.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/k_tracer.c#L370-L394
On CPU mismatch, fallback_buf is used but size is still set to m_buf->real_size (up to 8KB) and passed downstream.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/protocol_http.h#L412-L441
bytes_len (from m_buf->real_size) is used to read payload data from u_buf; if u_buf is the 256B fallback, this can over-read and leak memory into telemetry.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/tpinjector/tpinjector.c#L192-L206
real_size is set up to 8192 bytes and stored with cpu_id; fallback_buf only contains 256 bytes.
PoC
Local testing with an AddressSanitizer user-space PoC reproduced the same class of size-mismatch over-read as the vulnerable fallback-buffer path. That result is sufficient to ground the advisory in a fresh local reproduction even though the exact end-to-end eBPF path still depends on host BPF capabilities.
To reproduce the validated behavior locally:
- create a struct that models
fallback_buf[256]andreal_size - populate only the 256-byte fallback buffer
- simulate the CPU mismatch path by using the fallback buffer as the source pointer while preserving a much larger
real_size - perform a read of
real_sizebytes from that 256-byte backing store under ASan
An equivalent reproducer is:
// save as /tmp/poc_msgbuf_oob.c
#include <stdint.h>
#include <stdio.h>
#include <string.h>
struct msg_buffer {
unsigned char fallback_buf[256];
uint16_t pos;
uint16_t real_size;
uint32_t cpu_id;
};
int main(void) {
struct msg_buffer m = {0};
unsigned char sink[8192];
memset(m.fallback_buf, 'A', sizeof(m.fallback_buf));
m.real_size = 4096;
memcpy(sink, m.fallback_buf, m.real_size);
printf("copied %u bytes from a 256-byte fallback buffer\n", m.real_size);
return 0;
}Compile and run with ASan:
cc -fsanitize=address -O1 -g -o /tmp/poc_msgbuf_oob /tmp/poc_msgbuf_oob.c
ASAN_OPTIONS=abort_on_error=1 /tmp/poc_msgbuf_oobExpected result:
AddressSanitizer: heap-buffer-overflow or stack-buffer-overflowThat user-space PoC matches the size-mismatch condition in the vulnerable code path, even though the exact end-to-end eBPF runtime path still requires host BPF attach/load capability.
Impact
This is a confidentiality issue in the HTTP tracing path. The vulnerable read occurs in OBI's local fallback-buffer handling when context propagation is enabled, the tpinjector sock_msg path is active, HTTP large-buffer capture is configured with a non-zero size, and a CPU mismatch occurs between producer and consumer contexts. Under those conditions, OBI can over-read from the fallback buffer and export unrelated memory through telemetry.
AnalysisAI
Out-of-bounds memory read in OpenTelemetry eBPF Instrumentation (OBI) prior to 0.9.0 exposes adjacent kernel memory through the HTTP tracing telemetry pipeline. The vulnerable path arises in the per-CPU message-buffer fallback logic in k_tracer.c and protocol_http.h: when a CPU mismatch occurs between producer and consumer contexts, OBI substitutes the 256-byte fallback_buf as the source buffer while retaining real_size values of up to 8KB, causing an over-read of up to 7,936 bytes of adjacent memory that is subsequently exported in telemetry. No public exploit identified at time of analysis, though publicly available exploit code exists as a validated user-space AddressSanitizer PoC demonstrating the same size-mismatch over-read class.
Technical ContextAI
OBI is a Go-based eBPF instrumentation agent (pkg:go/go.opentelemetry.io/obi) that instruments HTTP and HTTP2 traffic via kernel probes and socket message hooks. The msg_buffer_t struct (bpf/common/msg_buffer.h) contains both an 8KB per-CPU primary buffer and a 256-byte fallback_buf. The 8KB primary buffer size is governed by k_kprobes_http2_buf_size (defined in bpf/common/http_buf_size.h), while real_size in tpinjector.c can be set to up to 8192 bytes and is stored alongside cpu_id. When the consumer's CPU ID does not match the producer's, k_tracer.c (lines 370-394) substitutes fallback_buf as the read source but does not update real_size, passing the original up-to-8KB size downstream. protocol_http.h (lines 412-441) then uses bytes_len derived from m_buf->real_size to copy payload data from u_buf, which in the mismatch case is the 256-byte fallback - resulting in a CWE-125 (Out-of-Bounds Read) of up to 7,936 bytes beyond the buffer boundary. The leaked memory is subsequently emitted through telemetry, making this a confidentiality-impacting data exfiltration path within the eBPF instrumentation layer.
RemediationAI
The primary fix is to upgrade go.opentelemetry.io/obi to version 0.9.0, which is confirmed as the patched release per GitHub Advisory GHSA-r6c9-g6q5-qrf9 (https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-r6c9-g6q5-qrf9). If immediate upgrade is not possible, the following compensating controls reduce exposure: disable context propagation in OBI configuration to prevent the tpinjector sock_msg path from activating (trade-off: distributed trace context will not be propagated across service boundaries); set HTTP large-buffer capture size to zero to prevent real_size from exceeding the fallback buffer size (trade-off: HTTP payloads larger than the base buffer will not be captured); or restrict OBI deployment to single-CPU or CPU-pinned environments where producer-consumer CPU mismatches cannot occur (trade-off: limits horizontal scalability). Any of these controls, if reliably enforced, would prevent the vulnerable code path from being reached. Note that all three configuration conditions must be active simultaneously for the vulnerability to trigger, so disabling any single one of them is sufficient as a workaround.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33955
GHSA-r6c9-g6q5-qrf9