Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. This issue has been patched in version 0.9.0.
Published: 2026-06-02
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenTelemetry eBPF Instrumentation, from version 0.7.0 up to, but not including, 0.9.0, contains an issue in the log enricher component where writev buffers are mishandled. The implementation reads only the first iovec entry but uses the total iov_iter.count as the copy length, enabling a crafted multi‑segment writev call to cause the program to read and overwrite memory beyond the first buffer. This memory corruption could potentially alter application state or leak sensitive data if the overwritten region influences subsequent processing.

Affected Systems

The affected product is OpenTelemetry eBPF Instrumentation (open‑telemetry:opentelemetry‑ebpf‑instrumentation). Versions from 0.7.0 through all releases preceding 0.9.0 are impacted. The vulnerability was fixed in release 0.9.0.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The known vector is a crafted writev call that requires the log enricher to be enabled; it is unclear from the advisory whether external entities can trigger the writev, so the attack surface is likely limited to environments where log injection is enabled or where an attacker can influence the log content. No exploit has been reported. The risk is therefore moderate but ties closely to the presence of log injection and the version in use.

Generated by OpenCVE AI on June 2, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later
  • If upgrade is not possible, disable log injection in the configuration
  • Remove any older, vulnerable versions of the instrumentation from the system

Generated by OpenCVE AI on June 2, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vvmg-8mjr-g6q3 OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers
History

Tue, 02 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. This issue has been patched in version 0.9.0.
Title OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers
Weaknesses CWE-126
CWE-787
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Opentelemetry Opentelemetry-ebpf-instrumentation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:55:27.505Z

Reserved: 2026-05-12T21:59:25.667Z

Link: CVE-2026-45684

cve-icon Vulnrichment

Updated: 2026-06-02T15:55:24.083Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-02T16:16:43.187

Modified: 2026-06-02T17:16:34.543

Link: CVE-2026-45684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:45:13Z

Weaknesses