Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation semantics, enabling both filesystem boundary escape and symlink-based file clobbering. This vulnerability is fixed in 0.8.0.
Published: 2026-04-24
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite
Action: Immediate Patch
AI Analysis

Impact

OpenTelemetry eBPF Instrumentation exposes a flaw in the Java agent injection path that lets a local attacker who controls a Java workload overwrite arbitrary files on the host when the injection feature is enabled. The vulnerability arises because the injector trusts the temporary directory of the target process and creates files with unsafe semantics, permitting both filesystem boundary escape and symlink-based clobbering. The flaw is classified as CWE-22 and CWE-59 and can compromise confidentiality, integrity, and availability of critical host files.

Affected Systems

The affected product is OpenTelemetry eBPF Instrumentation from the open-telemetry vendor, specifically versions 0.4.0 through any release before 0.8.0. Deployments that run Java injection with elevated privileges are susceptible.

Risk and Exploitability

The EPSS score of less than 1 % indicates that exploitation is expected to be rare, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local access to a Java process, the ability to trigger the Java agent injection, and that the instrumentation runs with elevated privileges. Under these conditions, an attacker could overwrite arbitrary host files, potentially compromising the entire system.

Generated by OpenCVE AI on April 28, 2026 at 13:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenTelemetry eBPF Instrumentation version 0.8.0 or newer.
  • If an upgrade is not immediately possible, disable the Java agent injection feature or ensure it runs with minimal privileges.
  • Restrict the TMPDIR used by the instrumentation so that it is not writable by untrusted processes.

Generated by OpenCVE AI on April 28, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8gmg-3w2q-65f4 OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR
History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry opentelemetry Ebpf Instrumentation
CPEs cpe:2.3:a:opentelemetry:opentelemetry_ebpf_instrumentation:*:*:*:*:*:go:*:*
Vendors & Products Opentelemetry opentelemetry Ebpf Instrumentation

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation semantics, enabling both filesystem boundary escape and symlink-based file clobbering. This vulnerability is fixed in 0.8.0.
Title OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

Opentelemetry Opentelemetry-ebpf-instrumentation Opentelemetry Ebpf Instrumentation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:52:06.558Z

Reserved: 2026-04-20T15:32:33.815Z

Link: CVE-2026-41433

cve-icon Vulnrichment

Updated: 2026-04-25T01:52:00.479Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T20:16:27.803

Modified: 2026-05-14T16:31:47.687

Link: CVE-2026-41433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:45:06Z

Weaknesses