CVE-2026-45683
Memory Corruption in OpenTelemetry eBPF Instrumentation
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open_telemetry | opentelemetry_ebpf_instrumentation | to 0.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-127 | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local kernel memory disclosure through the OpenTelemetry eBPF instrumentation's Java TLS ioctl probe. This exposure of sensitive kernel memory could potentially lead to unauthorized access to sensitive information.
While the severity is rated as low and requires local access, any unauthorized disclosure of sensitive data can impact compliance with standards such as GDPR and HIPAA, which mandate protection of sensitive and personal data.
Therefore, if exploited in an environment subject to these regulations, this vulnerability could pose a risk to compliance by exposing sensitive information to unauthorized actors.
Can you explain this vulnerability to me?
The CVE-2026-45683 vulnerability affects the OpenTelemetry eBPF Instrumentation, specifically a Java TLS ioctl kprobe. The issue occurs because the probe uses the function bpf_probe_read instead of the safer bpf_probe_read_user to read user-controlled ioctl pointers. This flaw allows an instrumented local process to supply a pointer to kernel memory, causing the probe to read and expose kernel memory contents into telemetry data.
The vulnerable code is located in bpf/generictracer/java_tls.c, where ioctl calls for Java TLS magic commands are filtered and structured data is read from the provided pointer. Since the pointer comes from user space, it should be strictly validated and read using bpf_probe_read_user to prevent unauthorized kernel memory access.
Exploitation requires a vulnerable build of OpenTelemetry eBPF Instrumentation with Java TLS support, a host capable of loading BPF programs, and a local process issuing a crafted ioctl call with an attacker-controlled pointer. The vulnerability was patched in version 0.9.0.
How can this vulnerability impact me? :
This vulnerability can lead to local kernel memory disclosure. An attacker with local access and the ability to run an instrumented process can cause sensitive kernel memory contents to be copied into telemetry data, potentially exposing sensitive information.
However, the impact is considered low severity with a CVSS score of 3.8 because exploitation requires local access, low privileges, and the presence of Java TLS instrumentation enabled in the OpenTelemetry eBPF setup.
The vulnerability does not affect system integrity or availability but can compromise confidentiality by exposing kernel memory contents.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-45683 involves identifying if a vulnerable version of OpenTelemetry eBPF Instrumentation is running, specifically versions prior to 0.9.0 with Java TLS ioctl kprobe enabled.
Since exploitation requires a local process issuing crafted ioctl calls with attacker-controlled pointers, monitoring for unusual or suspicious ioctl calls related to Java TLS magic commands may help detect attempts.
You can check the installed version of OpenTelemetry eBPF Instrumentation to confirm if it is older than 0.9.0.
- Check the version of OpenTelemetry eBPF Instrumentation installed on your system.
- Use system tools like `bpftool` to list loaded BPF programs and identify if the vulnerable Java TLS ioctl kprobe is active.
- Monitor ioctl system calls from local processes, for example using `strace` or `auditd`, to detect suspicious ioctl calls with unusual pointers.
- Example command to check loaded BPF programs: `bpftool prog show`
- Example command to trace ioctl calls from a specific process: `strace -e ioctl -p <pid>`
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later, where the vulnerability has been patched.
Until the upgrade can be applied, consider disabling the Java TLS ioctl instrumentation if it is not required, to prevent exploitation.
Restrict local access to trusted users only, as exploitation requires local process execution with the ability to issue crafted ioctl calls.
- Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or newer.
- Disable Java TLS ioctl kprobe instrumentation if possible.
- Limit local user permissions to reduce risk of malicious local processes.