216.73.217.172

CVE-2026-45287

· Published 04/06/2026 16:16 · Modified 04/06/2026 16:23

Labels: CVE-2026-45287 2026-06-04CVE-2026-45287CWE-772[email protected]

Essential information

Published
04/06/2026 16:16
Modified
04/06/2026 16:23
Author
Creator
CVSS
2.1 LOW (v3) 2.1 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
opentelemetry / opentelemetry-go cpe:2.3:a:opentelemetry:opentelemetry-go:<0.0.17:*:*:*:*:*:*:*

References