GHSA-f2r5-5m7w-p5cxMediumCVSS 6.2

opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

An unprivileged process can easily trigger the processPIDEvents goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the openat2 syscall forever and the profiler can no longer work properly, it is a denial of service.

Impact

The impact is limited to denial-of-service on the ebpf-profiler agent:

  • There has to be a malicious workload albeit unprivileged.
  • No exfiltration of data. No loss of data.

Fix

Fixed in https://github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4.

Fix is part of v.0.0.202622.

🎯 Affected products1

  • go/go.opentelemetry.io/ebpf-profiler:>= 0.0.202527, < 0.0.202622

🔗 References (4)