CVE-2026-45684: OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers

May 18, 2026 (updated June 9, 2026)

OBI’s log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment.

References

github.com/advisories/GHSA-vvmg-8mjr-g6q3
github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0
github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-vvmg-8mjr-g6q3
nvd.nist.gov/vuln/detail/CVE-2026-45684

Code Behaviors & Features

Detect and mitigate CVE-2026-45684 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →