Listen to this Post
The CVE-2026-45681 vulnerability arises from a size mismatch in the per-CPU message-buffer fallback path within OpenTelemetry eBPF Instrumentation (OBI). The `k_kprobes_http2_buf_size` constant defines a 256‑byte fallback buffer, while the `msg_buffer_t` structure introduces an 8KB per‑CPU buffer alongside this 256‑byte fallback_buf. When a CPU mismatch occurs between the producer and consumer contexts, OBI erroneously uses the 256‑byte `fallback_buf` but still preserves the original payload size, which can be up to 8KB, stored in m_buf->real_size. This `real_size` value is then passed downstream and used as the `bytes_len` parameter to read payload data from the `u_buf` pointer. Because the `u_buf` points to the 256‑byte fallback buffer when the CPU mismatch path is taken, the read operation of up to 8KB exceeds the buffer’s boundaries. This out‑of‑bounds read occurs in the HTTP tracing path when context propagation is enabled, the `tpinjector` sock_msg path is active, and HTTP large‑buffer capture is configured with a non‑zero size. Under these conditions, OBI can leak adjacent kernel or process memory into the exported telemetry data, leading to a confidentiality breach. A user‑space AddressSanitizer proof‑of‑concept (PoC) that models a 256‑byte fallback buffer and a large `real_size` reproduces the same class of over‑read, confirming the vulnerability’s presence. The issue has been fixed in version 0.8.0 by correcting the buffer size handling.
Platform: OpenTelemetry eBPF Instrumentation
Version: 0.4.0 to 0.8.0
Vulnerability: Buffer Over-read
Severity: Moderate
date: 2026-05-12
Prediction: Patch expected 2026-06-01
What Undercode Say:
Clone the vulnerable repository version
git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation
cd opentelemetry-ebpf-instrumentation
git checkout 032473449b53d9f02ec4619d4f5b84e6a81db362
Compile the user-space proof-of-concept
cat > /tmp/poc_msgbuf_oob.c << 'EOF'
include <stdint.h>
include <stdio.h>
include <string.h>
struct msg_buffer {
unsigned char fallback_buf[bash];
uint16_t pos;
uint16_t real_size;
uint32_t cpu_id;
};
int main(void) {
struct msg_buffer m = {0};
unsigned char sink[bash];
memset(m.fallback_buf, 'A', sizeof(m.fallback_buf));
m.real_size = 4096; // Up to 8192 bytes
memcpy(sink, m.fallback_buf, m.real_size);
printf("Copied %u bytes from a 256-byte fallback buffer\n", m.real_size);
return 0;
}
EOF
cc -fsanitize=address -O1 -g -o /tmp/poc_msgbuf_oob /tmp/poc_msgbuf_oob.c
Run the PoC to trigger the buffer over-read
ASAN_OPTIONS=abort_on_error=1 /tmp/poc_msgbuf_oob
Exploit:
To exploit this vulnerability, an attacker must be able to trigger a CPU mismatch in a monitored environment where OBI is tracing HTTP traffic with large‑buffer capture enabled. When the kernel scheduler moves the producer and consumer contexts to different CPUs, OBI falls back to the 256‑byte buffer while still expecting an 8KB payload. This forces OBI to read 8KB of data from a 256‑byte buffer, causing it to access adjacent memory locations and leak sensitive information (e.g., other processes’ data, kernel secrets) into the exported telemetry stream. The attacker can then collect this leaked memory from the telemetry backend.
Protection from this CVE:
Upgrade to OpenTelemetry eBPF Instrumentation version 0.8.0 or later, which fixes the buffer size mismatch by using the correct buffer length in the fallback path. If immediate upgrading is not possible, disable HTTP large‑buffer capture by setting the relevant capture size to zero and avoid enabling context propagation on untrusted systems until the patch is applied.
Impact:
Successful exploitation leads to confidentiality loss where OBI exports adjacent memory content (up to ~7.5KB of excess data) through telemetry. This leaked memory may contain sensitive information such as credentials, tokens, personal data, or kernel structures. The issue does not affect availability or integrity, but the information disclosure can be leveraged in further attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

