CVE-2026-45680: OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

May 18, 2026 (updated June 9, 2026)

OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval.

References

github.com/advisories/GHSA-89c6-vpcj-7vj4
github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0
github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-89c6-vpcj-7vj4
nvd.nist.gov/vuln/detail/CVE-2026-45680

Code Behaviors & Features

Detect and mitigate CVE-2026-45680 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →