GHSA-r6c9-g6q5-qrf9: OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size
Summary
OpenTelemetry eBPF Instrumentation (OBI) has a memory leak vulnerability where a CPU mismatch causes the system to use a 256-byte fallback buffer but still tries to read up to 8KB of data from it, reading beyond the buffer's boundaries and leaking adjacent memory into telemetry (data about system performance). This happens in the HTTP tracing path when context propagation is enabled and certain conditions are met.
Vulnerability Details
EPSS: 0.0%
Yes
May 18, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://github.com/advisories/GHSA-r6c9-g6q5-qrf9
First tracked: May 18, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%