OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals_CVE-2026-45682

5.1 / 10

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0.

Basic Information

ID CVE-2026-45682

Source GitHub_M

Published Jun 2, 2026 at 15:23

Affected Product

Vendor open-telemetry

Product opentelemetry-ebpf-instrumentation

Version < 0.9.0

Affected Versions open-telemetry opentelemetry-ebpf-instrumentation < 0.9.0

CWE Classification

CWE-401 CWE-770

References

{
    "lastseen": "",
    "description": "OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0.",
    "published": "2026-06-02T15:23:24.666Z",
    "modified": "2026-06-02T15:23:24.666Z",
    "type": "cve",
    "title": "OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals",
    "source": "GitHub_M",
    "references": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-962q-hwm5-52x5\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0",
    "id": "CVE-2026-45682",
    "bulletinFamily": "",
    "cwe": [
        "CWE-401",
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "open-telemetry opentelemetry-ebpf-instrumentation < 0.9.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "opentelemetry-ebpf-instrumentation",
    "version": "< 0.9.0",
    "vendor": "open-telemetry",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}