Skip to main content

OpenTelemetry OBI EUVDEUVD-2026-33957

| CVE-2026-45684 MEDIUM
Buffer Over-read (CWE-126)
2026-05-18 https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation GHSA-vvmg-8mjr-g6q3
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:10 vuln.today
Analysis Generated
May 18, 2026 - 21:10 vuln.today

DescriptionGitHub Advisory

Summary

OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment.

Details

In bpf/logenricher/logenricher.c#L50, __fill_iov resolves only one struct iovec, specifically iov_ctx.iov[0] for ITER_IOVEC. The returned iov therefore describes only the first write segment.

However, __write later uses const size_t count = BPF_CORE_READ(from, count);, which is the total byte count across all segments in the iterator. That total is stored in e->len and used in bpf_probe_read_user(e->log, e->len, iov.iov_base) and bpf_probe_write_user(iov.iov_base, zero, to_write).

If count exceeds iov.iov_len, OBI reads and then zeroes memory past the end of the first segment. In practice, this can corrupt adjacent application buffers, leak memory into log events, and in some layouts destabilize the instrumented process.

PoC

Local testing with a minimal ASan harness reproduced the same out-of-bounds read/write condition as the vulnerable writev path.

Use a vulnerable build with the log enricher enabled.

bash
git checkout v0.7.0
make build

Create a program that performs a two-element writev, where the first buffer is short and the second is large:

c
// save as /tmp/writev-poc.c
#define _GNU_SOURCE
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>

int main(void) {
  char a[8] = "HELLO\n";
  char b[256];
  memset(b, 'B', sizeof(b));

  struct iovec iov[2];
  iov[0].iov_base = a;
  iov[0].iov_len = sizeof(a);
  iov[1].iov_base = b;
  iov[1].iov_len = sizeof(b);

  for (;;) {
    writev(1, iov, 2);
    usleep(10000);
  }
}

Compile and run it:

bash
cc -O2 -o /tmp/writev-poc /tmp/writev-poc.c
/tmp/writev-poc >/dev/null

Attach OBI with log enrichment enabled to the running process:

bash
PID=$(pgrep -f /tmp/writev-poc)
sudo ./bin/obi --pid "$PID"

On a vulnerable build, OBI copies iov_iter.count bytes starting from iov[0].iov_base, even though iov[0] is only 8 bytes long. Depending on allocator layout, you will see one of the following:

  1. log events that include bytes beyond HELLO\n
  2. corrupted stdout content because OBI zeroed memory beyond the first iovec
  3. process instability or a crash

The issue is easiest to observe under a debugger or with ASan-enabled builds of the target program, but those are not required.

Impact

This is a memory safety flaw in the log-enrichment eBPF path. It affects deployments that enable log injection and instrument applications that write logs through writev. An attacker who can trigger the vulnerable local writev pattern inside the instrumented process can cause memory corruption or disclosure in that process. The most direct effects are corrupted output and adjacent-memory disclosure, with process instability possible if the overwrite lands on sensitive state.

AnalysisAI

Out-of-bounds read and write in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows a local attacker to corrupt application memory and leak adjacent buffer contents by triggering a multi-segment writev call against a process instrumented with log enrichment enabled. The eBPF log enricher incorrectly uses the total iov_iter.count as the copy length while only resolving the first iovec segment, causing bpf_probe_read_user and bpf_probe_write_user to access memory beyond the first segment boundary. No public exploit identified at time of analysis, though a working proof-of-concept was included in the GitHub security advisory and confirmed to reproduce the out-of-bounds condition under ASan and debugger instrumentation.

Technical ContextAI

OBI is the OpenTelemetry eBPF Instrumentation agent (package go.opentelemetry.io/obi), which uses Linux eBPF probes to intercept system calls - including write and writev - for automatic log enrichment. The writev syscall accepts an array of iovec structures (a scatter-gather I/O list); each iovec describes a separate memory segment with its own base pointer and length, and iov_iter.count holds the total byte count across all segments. The vulnerable code in bpf/logenricher/logenricher.c at __fill_iov resolves only iov_ctx.iov[0], giving a pointer and length for the first segment only. The __write function then reads BPF_CORE_READ(from, count) - the aggregate count - and stores it in e->len, which is subsequently passed to bpf_probe_read_user and bpf_probe_write_user using iov[0].iov_base as the starting address. When iov_iter.count exceeds iov[0].iov_len, both eBPF helpers operate past the end of the first segment, constituting a CWE-126 buffer over-read (and a corresponding over-write via the zero-fill). The flaw is architectural: the segment count is read from the kernel iov_iter structure correctly, but the probe never iterates to validate against the per-segment length.

RemediationAI

The primary remediation is to upgrade go.opentelemetry.io/obi to version 0.9.0 or later, which contains the fix for the __fill_iov and __write mismatch in the log enricher eBPF path. The vendor-released patch version is confirmed as 0.9.0 per the GitHub advisory GHSA-vvmg-8mjr-g6q3 at https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-vvmg-8mjr-g6q3. If an immediate upgrade is not feasible, the most effective compensating control is to disable log injection entirely by not enabling the log enrichment feature in OBI's configuration - this removes the vulnerable code path from execution entirely, with the trade-off of losing automatic log correlation. Alternatively, restricting OBI from instrumenting processes that issue multi-segment writev calls (for example, by scoping OBI's PID attachment to only trusted, single-iovec workloads) reduces exposure but requires per-workload audit and is difficult to enforce durably. There is no eBPF-level filter that can safely distinguish safe writev patterns from vulnerable ones without fixing the underlying index/count mismatch. Patching to 0.9.0 is strongly preferred over either workaround.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-33957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy