VYPR
← All advisories
Medium severity5.9GHSA Advisory· Published May 18, 2026· Updated May 18, 2026

OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

CVE-2026-45680

Description

Summary

OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval.

Details

The vulnerable loop is in pkg/export/prom/prom_bpf.go. During each metrics tick, OBI iterates through probeMetrics and then executes for range metric.count, invoking BpfProbeLatency(...) for each individual recorded hit.

The count comes from `calculateStats()` in the same file, where deltaCount := bp.runCount - bp.prevRunCount is calculated and returned without any cap before the per-hit replay loop.

If probe activity spikes between scrape intervals, deltaCount can be very large. The exporter then spends CPU time proportional to the number of probe hits rather than the number of metric series.

PoC

Local testing with a small reproducer confirmed the replay-loop behavior and showed CPU scaling with the recorded hit count rather than the number of metric series.

Use a vulnerable build and enable internal metrics export:

git checkout v0.0.0-rc.1+build
make build
export OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT=9090
sudo ./bin/obi

Create a high-rate workload that repeatedly exercises traced probes. For example, generate HTTP traffic against an instrumented service:

python3 -m http.server 18081

Then drive it:

seq 1 500000 | xargs -P 128 -I{} curl -s http://127.0.0.1:18081 >/dev/null

At the same time, scrape metrics repeatedly:

while true; do curl -s http://127.0.0.1:9090/metrics >/dev/null; done

On a vulnerable build, OBI CPU consumption rises sharply during the metrics loop because histogram updates are replayed once per counted probe execution. The effect is visible in top or pidstat and is most pronounced under sustained high request volume.

Impact

This is an availability issue in the internal metrics path. Any deployment that enables BPF internal metrics and traces busy workloads is affected. Attackers can indirectly consume CPU in the privileged agent by driving enough activity through instrumented services.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenTelemetry eBPF Instrumentation (OBI) v0.0.0-rc.1+build has an unbounded loop in its metrics exporter, which can exhaust CPU when BPF probe hits spike.

Vulnerability

OpenTelemetry eBPF Instrumentation (OBI) v0.0.0-rc.1+build contains a CPU-exhaustion vulnerability in the internal metrics path. In pkg/export/prom/prom_bpf.go, the calculateStats() function computes deltaCount := bp.runCount - bp.prevRunCount without any upper bound [1][2]. This delta is then used in a for range metric.count loop that calls BpfProbeLatency(...) for each individual probe hit, causing the loop to execute an unbounded number of times when probe activity is high [2][3].

Exploitation

An attacker needs the ability to generate high-rate traffic that exercises traced eBPF probes on a system running OBI with internal metrics export enabled (environment variable OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT set). No authentication is required; the attacker simply drives workload (e.g., HTTP requests) against an instrumented service while a metrics scraper repeatedly fetches the internal Prometheus endpoint [2][3]. The race-free loop then consumes CPU time proportional to the delta run count, leading to high CPU usage on the OBI process [2].

Impact

Successful exploitation causes sustained high CPU consumption by the privileged OBI process, degrading availability of the host or other co-located workloads. This is strictly an availability issue: no information disclosure, file modification, or remote code execution is possible [2][3].

Mitigation

As of the available references, no patched version has been released. The OBI project is in development (v0) and recommends pinning to specific releases; however, no fix is yet available for this CVE [1][2]. Deployments that do not require internal metrics should disable the feature by unsetting OTEL_EBPF_INTERNAL_METRICS_PROMETHEUS_PORT. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. GitHub - open-telemetry/opentelemetry-ebpf-instrumentation
  2. CVE-2026-45680 - GitHub Advisory Database
  3. Unbounded BPF internal metrics replay can exhaust CPU

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.