OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust...

5.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval. This issue has been patched in version 0.9.0.

Basic Information

ID CVE-2026-45680

Source GitHub_M

Published Jun 2, 2026 at 15:24

Affected Product

Vendor open-telemetry

Product opentelemetry-ebpf-instrumentation

Version < 0.9.0

Affected Versions open-telemetry opentelemetry-ebpf-instrumentation < 0.9.0

CWE Classification

CWE-400 CWE-834

References

{
    "lastseen": "",
    "description": "OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval. This issue has been patched in version 0.9.0.",
    "published": "2026-06-02T15:24:46.329Z",
    "modified": "2026-06-02T15:24:46.329Z",
    "type": "cve",
    "title": "OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU",
    "source": "GitHub_M",
    "references": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-89c6-vpcj-7vj4\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0",
    "id": "CVE-2026-45680",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400",
        "CWE-834"
    ],
    "cvelist": null,
    "sourceData": "open-telemetry opentelemetry-ebpf-instrumentation < 0.9.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "opentelemetry-ebpf-instrumentation",
    "version": "< 0.9.0",
    "vendor": "open-telemetry",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU_CVE-2026-45680