CVE-2026-45287
OpenTelemetry-Go is the Go implementation of OpenTelemetry
Published: 2026-06-04 · Last updated: 2026-06-08
Severity and scoring
- CWE
- CWE-772, CWE-775
Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45287
- [Other]https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684
- [Other]https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d
- [Other]https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m
- [Other]https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m
Related CVEs
Same CWE
- CVE-2026-45536 — Netty is a network application framework for development of protocol servers and clients (4.0 MEDIUM)
- CVE-2026-9156 — Tanium addressed a denial of service vulnerability in Tanium Server (6.5 MEDIUM)
- CVE-2026-42577 — Netty is an asynchronous, event-driven network application framework (7.5 HIGH)
- CVE-2026-3104 — A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain (7.5 HIGH)
- CVE-2026-23299 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: purge error queues in socket destructors When TX timesta... (5.5 MEDIUM)