Listen to this Post
The vulnerability is a PATH hijacking flaw affecting the OpenTelemetry Go SDK. The resource detection code in `sdk/resource/host_id.go` executes external system commands without using absolute paths. Specifically, when initializing OpenTelemetry, the `hostIDReaderBSD.read()` method calls `r.execCommand(“kenv”, “-q”, “smbios.system.uuid”)` to retrieve the system UUID. The `execCommand` helper uses Go’s exec.Command(name, arg...), which searches for the executable in the directories listed in the `$PATH` environment variable when a bare command name is provided. An attacker with local access to the system can place a malicious binary named `kenv` in a directory that appears earlier in `$PATH` than the system’s legitimate `kenv` binary. When the Go application starts and initializes OpenTelemetry, the resource detection logic executes, and the `kenv` command resolves to the attacker’s malicious binary. This allows arbitrary code execution in the context of the application. The vulnerability is triggered when the `/etc/hostid` file does not exist (line 38-40), which is common on FreeBSD and other BSD systems. The vulnerability affects all versions from v1.15.0 to v1.42.0, as the initial fix for CVE-2026-24051 (the Darwin `ioreg` command) left the BSD `kenv` command unpatched. The attack vector is local, requiring the attacker to have the ability to modify the `PATH` environment variable. The impact is arbitrary code execution, potentially leading to full system compromise if the vulnerable application runs with elevated privileges. The suggested fix is to use the absolute path `/bin/kenv` in the `execCommand` call, as `kenv` is located at `/bin/kenv` on FreeBSD systems.
dailycve form:
Platform: Go SDK
Version: 1.20.0-1.39.0
Vulnerability: PATH Hijacking
Severity: CRITICAL
date: 2026-02-02
Prediction: Fixed 2026-02-19
Analytics under What Undercode Say:
Check if /etc/hostid exists if [ ! -f /etc/hostid ]; then echo "System vulnerable to CVE-2026-24051" fi Exploit PATH hijacking mkdir -p /tmp/evil echo '!/bin/sh' > /tmp/evil/kenv echo 'whoami > /tmp/exploit.out' >> /tmp/evil/kenv chmod +x /tmp/evil/kenv export PATH=/tmp/evil:$PATH go run main.go
Exploit:
- Attacker creates malicious `kenv` binary
- Modifies `$PATH` to prioritize malicious directory
- Vulnerable application imports OpenTelemetry SDK
- Resource detection calls `kenv` without absolute path
- Malicious binary executes arbitrary code
Protection from this CVE:
- Update to OpenTelemetry Go SDK v1.43.0 or later
- Use absolute paths for external commands
- Remove `kenv` from `PATH` if not required
- Monitor for suspicious `kenv` binaries in `PATH`
– Apply principle of least privilege to applications
Impact:
- Local privilege escalation
- Arbitrary code execution
- Data confidentiality breach
- System integrity compromise
- Potential full system takeover
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

