CVE-2026-45683
Analyzed Analyzed - Analysis Complete
Memory Corruption in OpenTelemetry eBPF Instrumentation

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Java TLS ioctl probe reads user-controlled ioctl pointers with bpf_probe_read instead of bpf_probe_read_user. An instrumented local process can therefore point OBI at kernel memory and cause that memory to be copied into telemetry. This issue has been patched in version 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-45683
EUVD
EUVD-2026-33956
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry ebpf_instrumentation to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-127 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows local kernel memory disclosure through the OpenTelemetry eBPF instrumentation's Java TLS ioctl probe. This exposure of sensitive kernel memory could potentially lead to unauthorized access to sensitive information.

While the severity is rated as low and requires local access, any unauthorized disclosure of sensitive data can impact compliance with standards such as GDPR and HIPAA, which mandate protection of sensitive and personal data.

Therefore, if exploited in an environment subject to these regulations, this vulnerability could pose a risk to compliance by exposing sensitive information to unauthorized actors.

Executive Summary

The CVE-2026-45683 vulnerability affects the OpenTelemetry eBPF Instrumentation, specifically a Java TLS ioctl kprobe. The issue occurs because the probe uses the function bpf_probe_read instead of the safer bpf_probe_read_user to read user-controlled ioctl pointers. This flaw allows an instrumented local process to supply a pointer to kernel memory, causing the probe to read and expose kernel memory contents into telemetry data.

The vulnerable code is located in bpf/generictracer/java_tls.c, where ioctl calls for Java TLS magic commands are filtered and structured data is read from the provided pointer. Since the pointer comes from user space, it should be strictly validated and read using bpf_probe_read_user to prevent unauthorized kernel memory access.

Exploitation requires a vulnerable build of OpenTelemetry eBPF Instrumentation with Java TLS support, a host capable of loading BPF programs, and a local process issuing a crafted ioctl call with an attacker-controlled pointer. The vulnerability was patched in version 0.9.0.

Impact Analysis

This vulnerability can lead to local kernel memory disclosure. An attacker with local access and the ability to run an instrumented process can cause sensitive kernel memory contents to be copied into telemetry data, potentially exposing sensitive information.

However, the impact is considered low severity with a CVSS score of 3.8 because exploitation requires local access, low privileges, and the presence of Java TLS instrumentation enabled in the OpenTelemetry eBPF setup.

The vulnerability does not affect system integrity or availability but can compromise confidentiality by exposing kernel memory contents.

Detection Guidance

Detection of CVE-2026-45683 involves identifying if a vulnerable version of OpenTelemetry eBPF Instrumentation is running, specifically versions prior to 0.9.0 with Java TLS ioctl kprobe enabled.

Since exploitation requires a local process issuing crafted ioctl calls with attacker-controlled pointers, monitoring for unusual or suspicious ioctl calls related to Java TLS magic commands may help detect attempts.

You can check the installed version of OpenTelemetry eBPF Instrumentation to confirm if it is older than 0.9.0.

  • Check the version of OpenTelemetry eBPF Instrumentation installed on your system.
  • Use system tools like `bpftool` to list loaded BPF programs and identify if the vulnerable Java TLS ioctl kprobe is active.
  • Monitor ioctl system calls from local processes, for example using `strace` or `auditd`, to detect suspicious ioctl calls with unusual pointers.
  • Example command to check loaded BPF programs: `bpftool prog show`
  • Example command to trace ioctl calls from a specific process: `strace -e ioctl -p <pid>`
Mitigation Strategies

The primary mitigation step is to upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later, where the vulnerability has been patched.

Until the upgrade can be applied, consider disabling the Java TLS ioctl instrumentation if it is not required, to prevent exploitation.

Restrict local access to trusted users only, as exploitation requires local process execution with the ability to issue crafted ioctl calls.

  • Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or newer.
  • Disable Java TLS ioctl kprobe instrumentation if possible.
  • Limit local user permissions to reduce risk of malicious local processes.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45683. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart