AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-89c6-vpcj-7vj4: OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 18, 2026CVE-2026-45680

Summary

OpenTelemetry eBPF Instrumentation (OBI) has a performance flaw where it replays BPF probe hits (measurements of how long code takes to run) by looping once for each recorded execution. On busy systems, this loop can become very large between metric collection intervals, causing the metrics exporter to waste CPU time in a tight loop rather than processing a fixed number of metric series.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 18, 2026

Classification

Attack SophisticationModerate

Affected Packages

go.opentelemetry.io/obi@< 0.9.0 (fixed: 0.9.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-89c6-vpcj-7vj4

First tracked: May 18, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%