Can you explain this vulnerability to me?

CVE-2026-45287 is a file descriptor leak vulnerability in the OpenTelemetry-Go library, specifically in the schema parsing functionality for versions prior to 0.0.17. The function ParseFile opens a schema file but does not close it after parsing, causing one file descriptor to be leaked on each successful call.

Over time, especially in long-running processes that repeatedly parse schema files, this leak can exhaust the process's file descriptor limit, potentially causing the application to fail to open new files or resources.

Exploitation requires that an attacker can control the schema file path exposed to repeated parsing, making the attack scenario somewhat limited.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The primary impact of this vulnerability is a denial of service (DoS) condition caused by resource exhaustion.

Repeated calls to ParseFile without closing file descriptors can cause the application to hit the system limit on open files, resulting in failures to open additional files, sockets, or other resources.

This can cause the application or service to become unavailable or unstable, affecting availability but not confidentiality or integrity.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability primarily affects availability due to denial of service from resource exhaustion.

There is no evidence that it compromises confidentiality or integrity of data, which are often the main focus of regulations like GDPR or HIPAA.

However, availability is also a component of many compliance frameworks, so prolonged denial of service could potentially impact compliance related to system uptime and reliability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the number of open file descriptors used by the process running the OpenTelemetry-Go library. Since each call to ParseFile leaks one file descriptor, repeated parsing will cause the process to exhaust its file descriptor limit.

A proof-of-concept involves repeatedly calling ParseFile and observing the file descriptor count until the process fails with an "EMFILE: too many open files" error.

To detect this on your system, you can monitor the number of open file descriptors for the relevant process using commands like:

• lsof -p <pid> # Lists open files for the process with id <pid>
• ls /proc/<pid>/fd | wc -l # Counts the number of open file descriptors for the process
• watch -n 1 'ls /proc/<pid>/fd | wc -l' # Continuously monitor open file descriptors every second

If you observe the number of open file descriptors steadily increasing without being released during repeated schema parsing operations, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the OpenTelemetry-Go library to version 0.0.17 or later, where the vulnerability has been patched.

The patch ensures that the ParseFile function properly closes file descriptors after parsing by adding a defer file.Close() statement.

Additionally, avoid exposing repeated schema parsing to attacker-controlled paths, as exploitation depends on this exposure.

Useful 0 Not Useful 0