OpenTelemetry-Go's Schema ParseFile leaks file descriptors on each parse
CVE-2026-45287

2.1LOW

Key Information:

Vendor

Open-telemetry

Status
Go.opentelemetry.io/otel/schema/v1.1
Go.opentelemetry.io/otel/schema/v1.0
Vendor
CVE Published:
4 June 2026

What is CVE-2026-45287?

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

Affected Version(s)

go.opentelemetry.io/otel/schema/v1.0 < 0.0.17

go.opentelemetry.io/otel/schema/v1.1 < 0.0.17

References

https://github.com/open-telemetry/opentelemetry-go/securi...
x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-go/commit...
x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-go/commit...
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.