Back to list

OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers — CVE-2026-45684

GitHub · GitHub · CVE-2026-45684

ID
CVE-2026-45684
Date
Activity
Source
GitHub
Vendor
GitHub
Threat
medium
CVSS
4.9

Summary

### Summary OBI's log enricher mishandles `writev` buffers by reading only the first `iovec` entry but using the total `iov_iter.count` as the copy length. When log injection is enabled, a crafted multi-segment `writev` call can make OBI read and overwrite memory beyond the first segment. ### Details In…

Product

go: go.opentelemetry.io/obi

What to do

General, cautious steps (verify details in the official source):

  • Review exposure and plan remediation based on risk and environment.
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21