OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent
Description
Summary
OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.
Details
matchExeSymbols iterates over sections and uses offsets/symbol names from the unvalidated fastelf context; nil section pointers or out-of-range offsets can trigger panics during dereference/slicing.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/exec/proclang_linux.go#L133-L165
GetCStringUnsafe and ReadStruct perform unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets derived from ELF data, enabling panics on malformed input.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L201-L213
NewElfContextFromData trusts Shoff/Shnum/Phnum from the ELF header, converting them to int and populating sections/segments without validating offsets or ensuring ReadStruct returned non-nil.
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/cec36c1b872beba9d17956bfde75dee3249a1516/pkg/internal/fastelf/fastelf.go#L271-L296
Malformed ELF metadata can therefore crash OBI during normal process discovery.
PoC
Local testing confirms the parser panic path on the vulnerable release, but one caveat is worth noting: rerunning a previously captured malformed-ELF PoC directly against the current checkout did not reproduce the original crash. That means the parser has drifted since the vulnerable release, so reproduction should be performed against the affected release tag or commit range rather than assuming current HEAD still panics in exactly the same way.
Use a vulnerable build:
git checkout v0.0.0-rc.1+build
make build
Create a small valid ELF and then corrupt its section-header metadata:
cat >/tmp/hello.c <<'EOF'
int main(void) { return 0; }
EOF
cc -o /tmp/hello /tmp/hello.c
cp /tmp/hello /tmp/hello-bad
printf '\xff\xff' | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notrunc
Run the malformed executable so OBI inspects it during process discovery:
chmod +x /tmp/hello-bad
/tmp/hello-bad &
Start OBI or trigger a rescan of processes:
sudo ./bin/obi
On a vulnerable build, OBI can panic while parsing the malformed ELF. If the first corruption does not hit the exact fragile path on your architecture, alter section-name or symbol-table offsets instead; the root issue is the lack of defensive validation before GetCStringUnsafe and related section lookups.
Impact
This is a local denial of service against the telemetry agent. Any local tenant or process owner able to execute a malformed binary on a monitored host can crash OBI and interrupt observability for other workloads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OBI's fastelf parser trusts unvalidated ELF offsets, allowing a crafted local ELF to panic the agent during process language detection.
Vulnerability
OBI's replacement ELF parser (fastelf) trusts section offsets, counts, and string offsets directly from the executable file without validation. Functions matchExeSymbols, GetCStringUnsafe, ReadStruct, and NewElfContextFromData in pkg/internal/exec/proclang_linux.go and pkg/internal/fastelf/fastelf.go dereference nil section pointers or perform out-of-range slicing when processing malformed ELF metadata [2]. The vulnerable code path is reachable when the agent scans a process's ELF binary to determine its language. Affected versions include v0.0.0-rc.1+build [3].
Exploitation
An attacker with local access can craft a malicious ELF binary with corrupted section-header offsets, string table pointers, or symbol counts. When OBI's agent discovers and parses this ELF during normal process monitoring, the unvalidated offsets trigger a panic in matchExeSymbols or ReadStruct [2]. No authentication beyond the ability to execute or place the ELF on the filesystem is required. The PoC demonstrates reproducing the crash by checking out the vulnerable tag and running a corrupted ELF [3].
Impact
Successful exploitation causes the OBI agent to panic and terminate, resulting in a denial of service. Telemetry collection stops until the agent is restarted. No code execution, privilege escalation, or information disclosure has been demonstrated [2].
Mitigation
As of the advisory publication date, no official fix has been released [2]. The project is in development (v0) and users should pin to a specific semver release tag and monitor release notes for breaking changes [1]. Workarounds include avoiding execution of untrusted ELF binaries on monitored systems or deploying agent restart mechanisms. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 0.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.