Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0.
Published: 2026-06-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenTelemetry eBPF Instrumentation contains a CappedConcurrentHashMap that never removes keys from its insertion‑order queue when entries are deleted. In long‑running instrumented JVMs this causes the queue to grow without bound, eventually exhausting heap memory and forcing the JVM to terminate. The weakness corresponds to memory leaks (CWE‑401) and capacity exhaustion (CWE‑770), and the primary impact is a denial of service by exhausting resources.

Affected Systems

OpenTelemetry eBPF Instrumentation prior to version 0.9.0 on Java virtual machines.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity; the EPSS score is not available and the vulnerability is not listed in CISA KEV. Attackers would need the ability to run the instrumented application and generate repeated connection churn to trigger the growth of the queue, making this a local or privileged denial of service risk rather than a remote code execution threat.

Generated by OpenCVE AI on June 2, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch by upgrading OpenTelemetry eBPF Instrumentation to version 0.9.0 or later
  • If upgrading is not immediately possible, monitor heap usage closely and limit connection churn within the instrumented JVM
  • Consider isolating the instrumented application or adjusting JVM memory limits to mitigate the risk of heap exhaustion

Generated by OpenCVE AI on June 2, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-962q-hwm5-52x5 OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals
History

Tue, 02 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0.
Title OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals
Weaknesses CWE-401
CWE-770
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry-ebpf-instrumentation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:23:24.666Z

Reserved: 2026-05-12T21:59:25.667Z

Link: CVE-2026-45682

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-02T16:16:42.897

Modified: 2026-06-02T17:14:05.363

Link: CVE-2026-45682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:45:13Z

Weaknesses