Eight vulnerabilities have been disclosed in OpenTelemetry eBPF Instrumentation, an open-source observability framework that provides eBPF-based instrumentation for the OpenTelemetry standard. The vulnerabilities span CVSS scores from 3.8 to 7.5 and include integer overflow, input validation flaws, buffer over-reads and under-reads, out-of-bounds reads, uncontrolled resource consumption, and log injection. All issues are fixed in version 0.8.0.
What Are the Vulnerabilities?
OpenTelemetry eBPF Instrumentation uses eBPF (extended Berkeley Packet Filter) programs to collect telemetry data — traces, metrics, and logs — from Linux systems without requiring application code changes. The following eight CVEs were disclosed on June 2, 2026, all affecting versions prior to 0.8.0:
CVE-2026-45686 (CVSS 7.5, CWE-190 — Integer Overflow): An integer overflow vulnerability introduced in version 0.7.0 that can be triggered through crafted eBPF instrumentation input, potentially leading to memory corruption or unexpected behaviour in the data collection pipeline.
CVE-2026-45685 (CVSS 7.5, CWE-20 — Improper Input Validation): An input validation vulnerability present since version 0.1.0. Insufficient validation of inputs to the eBPF instrumentation framework can allow malformed data to propagate through the observability pipeline, potentially causing incorrect telemetry data or triggering error conditions in downstream consumers.
CVE-2026-45684 (CVSS 4.9, CWE-126 — Buffer Over-read): A buffer over-read introduced in version 0.7.0 that can expose sensitive kernel memory or application data through the observability output when processing certain eBPF events.
CVE-2026-45683 (CVSS 3.8, CWE-127 — Buffer Under-read): A buffer under-read vulnerability in versions prior to 0.8.0 that can cause the eBPF instrumentation to read data before the beginning of an allocated buffer, potentially resulting in incorrect telemetry or process instability.
CVE-2026-45681 (CVSS 5.9, CWE-125 — Out-of-Bounds Read): An out-of-bounds read vulnerability in versions prior to 0.8.0 that can occur during eBPF event processing, potentially exposing memory contents beyond the intended data structures.
CVE-2026-45680 (CVSS 5.9, CWE-400 — Uncontrolled Resource Consumption): A resource exhaustion vulnerability in versions prior to 0.8.0 that can be triggered by specific event patterns, causing the eBPF instrumentation to consume excessive CPU or memory resources.
CVE-2026-45679 (CVSS 6.5, CWE-117 — Improper Output Neutralization for Logs): A log injection vulnerability in versions prior to 0.8.0 that allows crafted data to inject malicious content into log output, potentially enabling log forgery or exploitation of log analysis tools that process the injected content.
Which Versions Are Affected?
All vulnerabilities affect OpenTelemetry eBPF Instrumentation:
- CVE-2026-45685: versions 0.1.0 through prior to 0.8.0 (longest affected range)
- CVE-2026-45686, CVE-2026-45684: versions 0.7.0 through prior to 0.8.0
- CVE-2026-45683, CVE-2026-45681, CVE-2026-45680, CVE-2026-45679: all versions prior to 0.8.0
All eight vulnerabilities are fixed in OpenTelemetry eBPF Instrumentation version 0.8.0.
Is It Being Exploited in the Wild?
No active exploitation has been publicly reported for any of these CVEs. However, eBPF-based observability tools operate with elevated privileges on Linux systems — eBPF programs run in kernel context — and vulnerabilities in eBPF instrumentation can have outsized impact compared to user-space application vulnerabilities. The integer overflow (CVE-2026-45686) and input validation (CVE-2026-45685) CVEs in particular, with CVSS 7.5 scores, warrant prompt attention in production observability deployments.
What Are the Fixes?
Update OpenTelemetry eBPF Instrumentation to version 0.8.0 or later. All eight CVEs are addressed in this release. Update via your package manager or by downloading the latest release from the project’s GitHub repository. Verify the installed version after updating.
Recommendations
Update OpenTelemetry eBPF Instrumentation to 0.8.0. This is a single version update that addresses all eight vulnerabilities. Deploy the update across all systems running the eBPF instrumentation, prioritising production observability pipelines and systems where eBPF programs run with elevated privileges.
Audit your observability stack. eBPF-based observability tools are relatively new and may not be included in routine vulnerability scanning. Identify all systems running OpenTelemetry eBPF Instrumentation and verify their versions. These tools are often deployed as part of Kubernetes observability stacks (via DaemonSets) or as system-level agents — ensure your audit covers all deployment models.
Monitor for unusual telemetry patterns. After updating, review observability data for anomalies that could indicate exploitation of the disclosed vulnerabilities prior to patching. Look for unexpected data patterns, malformed log entries (CVE-2026-45679), or resource spikes (CVE-2026-45680) that do not correlate with normal workload patterns.
References
- NVD: CVE-2026-45686 (Integer Overflow)
- NVD: CVE-2026-45685 (Input Validation)
- NVD: CVE-2026-45679 (Log Injection)
- Vulnerability Intelligence Report — June 3, 2026
This advisory is covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.
