CVE-2026-45287

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

Affected Software

VendorProductVersion RangeStatus
open-telemetrygo.opentelemetry.io/otel/schema/v1.1< 0.0.17affected
open-telemetrygo.opentelemetry.io/otel/schema/v1.0< 0.0.17affected

Weaknesses

  • CWE-772: CWE-772: Missing Release of Resource after Effective Lifetime
  • CWE-775: CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References