Resource Leak Vulnerability in OpenTelemetry-Go Affecting File Descriptors
CVE-2026-45287

2.1LOW

What is CVE-2026-45287?

A vulnerability in OpenTelemetry-Go prior to version 0.0.17 allows for the leakage of file descriptors due to improper handling in the ParseFile function. Each call to ParseFile opens a schema file without closing it, which can lead to exhaustion of the process file descriptor limit during repeated parsing operations. This issue becomes critical, particularly in long-running applications where an attacker could exploit this by controlling the parsing process. Updating to version 0.0.17 is essential to mitigate the risk of denial of service caused by this resource leak issue.

Affected Version(s)

go.opentelemetry.io/otel/schema/v1.0 < 0.0.17

go.opentelemetry.io/otel/schema/v1.1 < 0.0.17

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.