CVE-2026-45680

MEDIUMPre-NVD 5.95.9

5.9

OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

Summary

OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval.

Details

The vulnerable loop is in pkg/export/prom/prom_bpf.go. During each metrics tick, OBI iterates through probeMetrics and then executes for range metric.count, invoking BpfProbeLatency(...) for each individual recorded hit.

The count comes from calculateStats() in the same file, where deltaCount := bp.runCount - bp.prevRunCount is calculated and returned without any cap before the per-hit replay loop.

If probe activity spikes between scrape intervals, deltaCount can be very large. The exporter then spends CPU time proportional to the number of probe hits rather than the number of metric series.

PoC

Local testing with a small reproducer confirmed the replay-loop behavior and showed CPU scaling with the recorded hit count rather than the number of metric series.

Use a vulnerable build and enable internal metrics export:

git checkout v0.0.0-rc.1+build
make build
export OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT=9090
sudo ./bin/obi

Create a high-rate workload that repeatedly exercises traced probes. For example, generate HTTP traffic against an instrumented service:

python3 -m http.server 18081

Then drive it:

seq 1 500000 | xargs -P 128 -I{} curl -s http://127.0.0.1:18081 >/dev/null

At the same time, scrape metrics repeatedly:

while true; do curl -s http://127.0.0.1:9090/metrics >/dev/null; done

On a vulnerable build, OBI CPU consumption rises sharply during the metrics loop because histogram updates are replayed once per counted probe execution. The effect is visible in top or pidstat and is most pronounced under sustained high request volume.

Impact

This is an availability issue in the internal metrics path. Any deployment that enables BPF internal metrics and traces busy workloads is affected. Attackers can indirectly consume CPU in the privileged agent by driving enough activity through instrumented services.

CVSS v3: 5.9
EG Score: 5.9(low)
EPSS: —
KEV: Not listed

Published

May 18, 2026

Last Modified

May 18, 2026

Vendor Advisories for CVE-2026-45680(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-89c6-vpcj-7vj4
GitHub Security AdvisoriesMedium
OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-24 06:16 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-45680?

CVE-2026-45680 is a medium vulnerability published on May 18, 2026. OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU Summary OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend…

When was CVE-2026-45680 disclosed?

CVE-2026-45680 was first published in the National Vulnerability Database on May 18, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

What is the CVSS score of CVE-2026-45680?

CVE-2026-45680 has a CVSS v3 base score of 5.9 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-45680?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45680, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45680

Explore →

Is Your Infrastructure Affected by CVE-2026-45680?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs