GHSA-R6C9-G6Q5-QRF9
Vulnerability from github – Published: 2026-05-18 20:11 – Updated: 2026-06-09 10:58Summary
The per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read beyond the fallback buffer and leak adjacent memory into telemetry.
Details
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/http_buf_size.h#L4-L7
k_kprobes_http2_buf_size is defined as 256 bytes, the size of the fallback buffer.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/msg_buffer.h#L12-L36
Introduces 8KB per-CPU buffer and 256-byte fallback_buf in msg_buffer_t, creating a size mismatch for fallback use.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/k_tracer.c#L370-L394
On CPU mismatch, fallback_bufis used but size is still set to m_buf->real_size (up to 8KB) and passed downstream.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/protocol_http.h#L412-L441
bytes_len (from m_buf->real_size) is used to read payload data from u_buf; if u_buf is the 256B fallback, this can over-read and leak memory into telemetry.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/tpinjector/tpinjector.c#L192-L206
real_sizeis set up to 8192 bytes and stored with cpu_id; fallback_bufonly contains 256 bytes.
PoC
Local testing with an AddressSanitizer user-space PoC reproduced the same class of size-mismatch over-read as the vulnerable fallback-buffer path. That result is sufficient to ground the advisory in a fresh local reproduction even though the exact end-to-end eBPF path still depends on host BPF capabilities.
To reproduce the validated behavior locally:
- create a struct that models
fallback_buf[256]andreal_size - populate only the 256-byte fallback buffer
- simulate the CPU mismatch path by using the fallback buffer as the source pointer while preserving a much larger
real_size - perform a read of
real_sizebytes from that 256-byte backing store under ASan
An equivalent reproducer is:
// save as /tmp/poc_msgbuf_oob.c
#include <stdint.h>
#include <stdio.h>
#include <string.h>
struct msg_buffer {
unsigned char fallback_buf[256];
uint16_t pos;
uint16_t real_size;
uint32_t cpu_id;
};
int main(void) {
struct msg_buffer m = {0};
unsigned char sink[8192];
memset(m.fallback_buf, 'A', sizeof(m.fallback_buf));
m.real_size = 4096;
memcpy(sink, m.fallback_buf, m.real_size);
printf("copied %u bytes from a 256-byte fallback buffer\n", m.real_size);
return 0;
}
Compile and run with ASan:
cc -fsanitize=address -O1 -g -o /tmp/poc_msgbuf_oob /tmp/poc_msgbuf_oob.c
ASAN_OPTIONS=abort_on_error=1 /tmp/poc_msgbuf_oob
Expected result:
AddressSanitizer: heap-buffer-overflow or stack-buffer-overflow
That user-space PoC matches the size-mismatch condition in the vulnerable code path, even though the exact end-to-end eBPF runtime path still requires host BPF attach/load capability.
Impact
This is a confidentiality issue in the HTTP tracing path. The vulnerable read occurs in OBI's local fallback-buffer handling when context propagation is enabled, the tpinjector sock_msg path is active, HTTP large-buffer capture is configured with a non-zero size, and a CPU mismatch occurs between producer and consumer contexts. Under those conditions, OBI can over-read from the fallback buffer and export unrelated memory through telemetry.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/obi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45681"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-130"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:11:20Z",
"nvd_published_at": "2026-06-02T16:16:42Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read beyond the fallback buffer and leak adjacent memory into telemetry.\n\n### Details\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/http_buf_size.h#L4-L7\n\n`k_kprobes_http2_buf_size` is defined as 256 bytes, the size of the fallback buffer.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/common/msg_buffer.h#L12-L36\n\nIntroduces 8KB per-CPU buffer and 256-byte `fallback_buf` in `msg_buffer_t`, creating a size mismatch for fallback use.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/k_tracer.c#L370-L394\n\nOn CPU mismatch, `fallback_buf `is used but size is still set to `m_buf-\u003ereal_size` (up to 8KB) and passed downstream.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/generictracer/protocol_http.h#L412-L441\n\n`bytes_len (from m_buf-\u003ereal_size)` is used to read payload data from `u_buf`; if `u_buf` is the 256B fallback, this can over-read and leak memory into telemetry.\n\nhttps://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/032473449b53d9f02ec4619d4f5b84e6a81db362/bpf/tpinjector/tpinjector.c#L192-L206\n\n`real_size `is set up to 8192 bytes and stored with `cpu_id`; `fallback_buf `only contains 256 bytes.\n\n### PoC\n\nLocal testing with an AddressSanitizer user-space PoC reproduced the same class of size-mismatch over-read as the vulnerable fallback-buffer path. That result is sufficient to ground the advisory in a fresh local reproduction even though the exact end-to-end eBPF path still depends on host BPF capabilities.\n\nTo reproduce the validated behavior locally:\n\n1. create a struct that models `fallback_buf[256]` and `real_size`\n2. populate only the 256-byte fallback buffer\n3. simulate the CPU mismatch path by using the fallback buffer as the source pointer while preserving a much larger `real_size`\n4. perform a read of `real_size` bytes from that 256-byte backing store under ASan\n\nAn equivalent reproducer is:\n\n```c\n// save as /tmp/poc_msgbuf_oob.c\n#include \u003cstdint.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n\nstruct msg_buffer {\n unsigned char fallback_buf[256];\n uint16_t pos;\n uint16_t real_size;\n uint32_t cpu_id;\n};\n\nint main(void) {\n struct msg_buffer m = {0};\n unsigned char sink[8192];\n\n memset(m.fallback_buf, \u0027A\u0027, sizeof(m.fallback_buf));\n m.real_size = 4096;\n\n memcpy(sink, m.fallback_buf, m.real_size);\n printf(\"copied %u bytes from a 256-byte fallback buffer\\n\", m.real_size);\n return 0;\n}\n```\n\nCompile and run with ASan:\n\n```bash\ncc -fsanitize=address -O1 -g -o /tmp/poc_msgbuf_oob /tmp/poc_msgbuf_oob.c\nASAN_OPTIONS=abort_on_error=1 /tmp/poc_msgbuf_oob\n```\n\nExpected result:\n\n```text\nAddressSanitizer: heap-buffer-overflow or stack-buffer-overflow\n```\n\nThat user-space PoC matches the size-mismatch condition in the vulnerable code path, even though the exact end-to-end eBPF runtime path still requires host BPF attach/load capability.\n\n### Impact\n\nThis is a confidentiality issue in the HTTP tracing path. The vulnerable read occurs in OBI\u0027s local fallback-buffer handling when context propagation is enabled, the `tpinjector` sock_msg path is active, HTTP large-buffer capture is configured with a non-zero size, and a CPU mismatch occurs between producer and consumer contexts. Under those conditions, OBI can over-read from the fallback buffer and export unrelated memory through telemetry.",
"id": "GHSA-r6c9-g6q5-qrf9",
"modified": "2026-06-09T10:58:36Z",
"published": "2026-05-18T20:11:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-r6c9-g6q5-qrf9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45681"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.