Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
Published: 2026-06-04
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenTelemetry-Go's schema parser leaks a file descriptor on every successful ParseFile call because the file is never closed after passing it to Parse. Each leak consumes a descriptor from the process. If a long‑running application repeatedly parses schemas, the process can hit the file‑descriptor limit and any subsequent operations that require descriptors will fail, effectively causing a denial of service. The vulnerability is a low‑severity issue but can be impactful in high‑traffic or long‑running deployments.

Affected Systems

The affected components are the OpenTelemetry Go libraries open‑telemetry:go.opentelemetry.io/otel/schema/v1.0 and open‑telemetry:go.opentelemetry.io/otel/schema/v1.1. Any version prior to 0.0.17 of these modules is vulnerable. Users of applications that include these packages without upgrading to the patched release are at risk.

Risk and Exploitability

The CVSS score of 2.1 reflects the low severity of this issue. No EPSS data is available, but the limited attack surface means exploitation would require an attacker-controlled path to the schema parsing logic in a long‑running Go process. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known active exploitation. Nevertheless, the risk is present in environments where schema files are parsed frequently, as denial of service can be achieved simply by exhausting the file‑descriptor limit.

Generated by OpenCVE AI on June 4, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenTelemetry Go libraries to version 0.0.17 or newer.
  • Ensure that any custom code using ParseFile does not expose the ability for external input to specify schema file paths.
  • Monitor the application for warning signs of file‑descriptor exhaustion, such as err_file_open errors or process crashes due to resource limits.
  • Consider instrumenting or wrapping schema parsing calls to explicitly close any opened file descriptors when used in custom contexts.

Generated by OpenCVE AI on June 4, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-995v-fvrw-c78m opentelemetry-go's Schema ParseFile leaks file descriptors on each parse
History

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
Title OpenTelemetry-Go's Schema ParseFile leaks file descriptors on each parse
Weaknesses CWE-772
CWE-775
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T14:45:54.522Z

Reserved: 2026-05-11T20:14:43.200Z

Link: CVE-2026-45287

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T16:16:38.690

Modified: 2026-06-04T16:23:52.530

Link: CVE-2026-45287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T16:30:06Z

Weaknesses