CVE-2026-45287
Analyzed Analyzed - Analysis Complete
File Descriptor Leak in OpenTelemetry-Go

Publication date: 2026-06-04

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-18
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-45287
EUVD
EUVD-2026-34291
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry telemetry_schema_files to 0.0.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
CWE-775 The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45287 is a file descriptor leak vulnerability in the OpenTelemetry-Go library, specifically in the schema parsing functionality for versions prior to 0.0.17. The function ParseFile opens a schema file but does not close it after parsing, causing one file descriptor to be leaked on each successful call.

Over time, especially in long-running processes that repeatedly parse schema files, this leak can exhaust the process's file descriptor limit, potentially causing the application to fail to open new files or resources.

Exploitation requires that an attacker can control the schema file path exposed to repeated parsing, making the attack scenario somewhat limited.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition caused by resource exhaustion.

Repeated calls to ParseFile without closing file descriptors can cause the application to hit the system limit on open files, resulting in failures to open additional files, sockets, or other resources.

This can cause the application or service to become unavailable or unstable, affecting availability but not confidentiality or integrity.

Compliance Impact

This vulnerability primarily affects availability due to denial of service from resource exhaustion.

There is no evidence that it compromises confidentiality or integrity of data, which are often the main focus of regulations like GDPR or HIPAA.

However, availability is also a component of many compliance frameworks, so prolonged denial of service could potentially impact compliance related to system uptime and reliability.

Detection Guidance

This vulnerability can be detected by monitoring the number of open file descriptors used by the process running the OpenTelemetry-Go library. Since each call to ParseFile leaks one file descriptor, repeated parsing will cause the process to exhaust its file descriptor limit.

A proof-of-concept involves repeatedly calling ParseFile and observing the file descriptor count until the process fails with an "EMFILE: too many open files" error.

To detect this on your system, you can monitor the number of open file descriptors for the relevant process using commands like:

  • lsof -p <pid> # Lists open files for the process with id <pid>
  • ls /proc/<pid>/fd | wc -l # Counts the number of open file descriptors for the process
  • watch -n 1 'ls /proc/<pid>/fd | wc -l' # Continuously monitor open file descriptors every second

If you observe the number of open file descriptors steadily increasing without being released during repeated schema parsing operations, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade the OpenTelemetry-Go library to version 0.0.17 or later, where the vulnerability has been patched.

The patch ensures that the ParseFile function properly closes file descriptors after parsing by adding a defer file.Close() statement.

Additionally, avoid exposing repeated schema parsing to attacker-controlled paths, as exploitation depends on this exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart