OpenTelemetry eBPF Instrumentation (OBI) uses eBPF probes to record metrics that are replayed into histograms during each collection interval. Prior to version 0.9.0, OBI replayed BPF probe hits by looping once for each recorded run count. When the run‑count delta is very large on a busy system, the exporter spends a substantial amount of CPU time in a tight loop at every collection interval, leading to unnecessary CPU consumption. The attack vector, inferred from the description, would involve processes that generate heavy BPF instrumentation activity, and the privilege requirement is also inferred as local or system-level access to trigger such load.

All releases of OpenTelemetry eBPF Instrumentation before version 0.9.0 are impacted by the unbounded loop bug that can amplify CPU usage. Users running older releases on systems with heavy BPF instrumentation are at risk of experiencing high CPU load.

The CVSS score of 5.9 indicates a moderate risk. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Although the bug requires a busy system and the loop runs at each metrics collection tick, it can be triggered by any process that activates the instrumentation, potentially leading to denial of service through CPU exhaustion. It is classified as CWE‑400 (Uncontrolled Resource Consumption) and CWE‑834 (Unbounded Loop). Attackers with local or sufficient system privileges can exploit this vulnerability by forcing high probe activity or by simply observing the system under heavy load. It is inferred that triggering the high load relies on processes that can generate intense BPF activity, which is not explicitly documented but deduced from the description.