Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
Published: 2026-06-04
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenTelemetry-Go's schema parser leaks a file descriptor on every successful ParseFile call because the file is never closed after passing it to Parse. Each leak consumes a descriptor from the process. If a long‑running application repeatedly parses schemas, the process can hit the file‑descriptor limit and any subsequent operations that require descriptors will fail, effectively causing a denial of service. The vulnerability is a low‑severity issue but can be impactful in high‑traffic or long‑running deployments.

Affected Systems

The affected components are the OpenTelemetry Go libraries open‑telemetry:go.opentelemetry.io/otel/schema/v1.0 and open‑telemetry:go.opentelemetry.io/otel/schema/v1.1. Any version prior to 0.0.17 of these modules is vulnerable. Users of applications that include these packages without upgrading to the patched release are at risk.

Risk and Exploitability

The CVSS score of 2.1 reflects the low severity of this issue. No EPSS data is available, but the limited attack surface means exploitation would require an attacker-controlled path to the schema parsing logic in a long‑running Go process. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known active exploitation. Nevertheless, the risk is present in environments where schema files are parsed frequently, as denial of service can be achieved simply by exhausting the file‑descriptor limit.

Generated by OpenCVE AI on June 4, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenTelemetry Go libraries to version 0.0.17 or newer.
  • Ensure that any custom code using ParseFile does not expose the ability for external input to specify schema file paths.
  • Monitor the application for warning signs of file‑descriptor exhaustion, such as err_file_open errors or process crashes due to resource limits.
  • Consider instrumenting or wrapping schema parsing calls to explicitly close any opened file descriptors when used in custom contexts.

Generated by OpenCVE AI on June 4, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-995v-fvrw-c78m opentelemetry-go's Schema ParseFile leaks file descriptors on each parse
History

Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-go
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-go

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
Title OpenTelemetry-Go's Schema ParseFile leaks file descriptors on each parse
Weaknesses CWE-772
CWE-775
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Opentelemetry Opentelemetry-go
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T18:27:46.212Z

Reserved: 2026-05-11T20:14:43.200Z

Link: CVE-2026-45287

cve-icon Vulnrichment

Updated: 2026-06-08T18:27:42.302Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T16:16:38.690

Modified: 2026-06-08T19:16:45.260

Link: CVE-2026-45287

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-04T14:45:54Z

Links: CVE-2026-45287 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:07:37Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime

  • CWE-775

    Missing Release of File Descriptor or Handle after Effective Lifetime