The vulnerability resides in OBI’s fast ELF parser, which unconditionally trusts section offsets, counts, and string offsets supplied by an ELF file. A specially crafted local ELF can cause the agent to dereference invalid pointers or read past string tables when determining the process language, ultimately provoking a panic and crashing the service. This weakness is a classic example of Improper Validation of Resource Parameters (CWE-20) and Improper Calculation of Buffer Size (CWE-248). The immediate impact is that the agent stops functioning, leading to a denial‑of‑service condition for telemetry collection on the affected host.

The affected product is OpenTelemetry eBPF Instrumentation from the open‑telemetry organization. Every release prior to version 0.9.0 is susceptible; the issue is fixed in v0.9.0 and later. No other vendors or products are listed as affected.

The CVSS score of 5.5 indicates medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no actively exploited variants are known. The attack vector can be inferred to be local, as a malicious user must supply a crafted ELF file to the agent; no remote exploitation method is described. Consequently, the risk is moderate for environments where untrusted ELF files may be processed by the agent.