2484831 – (CVE-2026-45287) CVE-2026-45287 go.opentelemetry.io/otel: go.opentelemetry.io/otel/schema/v1.0: go.opentelemetry.io/otel/schema/v1.1: OpenTelemetry-Go: Denial of Service due to file descriptor leak

Bug 2484831 (CVE-2026-45287) - CVE-2026-45287 go.opentelemetry.io/otel: go.opentelemetry.io/otel/schema/v1.0: go.opentelemetry.io/otel/schema/v1.1: OpenTelemetry-Go: Denial of Service due to file descriptor leak

Summary: CVE-2026-45287 go.opentelemetry.io/otel: go.opentelemetry.io/otel/schema/v1.0...

Keywords:
Status:	NEW
Alias:	CVE-2026-45287
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2486201 2486204 2486205 2486206 2486207 2486208 2486209 2486211 2486213 2486214 2486216 2486219 2486220 2486223 2486224 2486225 2486226 2486227 2486229 2486230 2486231 2486232 2486233 2486234 2486235 2486236 2486237 2486238 2486239 2486241 2486242 2486243 2486245 2486247 2486248 2486249 2486251 2486253 2486254 2486256 2486257 2486258 2486259 2486261 2486262 2486263 2486264 2486265 2486266 2486267 2486268 2486269 2486270 2486271 2486272 2486273 2486274 2486275 2486276 2486279 2486280 2486281 2486282 2486283 2486284 2486285 2486286 2486287 2486288 2486289 2486290 2486291 2486295 2486296 2486297 2486298 2486202 2486203 2486210 2486212 2486215 2486217 2486218 2486221 2486222 2486228 2486240 2486244 2486246 2486250 2486252 2486255 2486260 2486277 2486278 2486292 2486293 2486294
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-04 16:01 UTC by OSIDB Bzimport
Modified:	2026-06-12 04:36 UTC (History)
CC List:	162 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-04 16:01:37 UTC

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abuckta
adudiak
agarcial
akoudelk
alcohan
alebedev
alinfoot
alizardo
amctagga
anjoseph
anpicker
aoconnor
aprice
asatyam
asegurap
bdettelb
bniver
bparees
cdrage
ckandaga
cmah
crizzo
derez
dfreiber
dhanak
diagrawa
dkuc
doconnor
drosa
drow
dschmidt
dsimansk
dtrifiro
dymurray
eaguilar
ebaron
eborisov
eglynn
erezende
eshamard
fdeutsch
flucifre
gmeno
gparvin
groman
gtanzill
hasun
ibolton
jbalunas
jburrell
jbuscemi
jcantril
jchui
jdobes
jfula
jhe
jjoyce
jkoehler
jlanda
jmatthew
jmitchel
jmontleo
jolong
jowilson
jprabhak
jpretori
jsamir
jschluet
jsherril
jvasik
kaycoth
kbempah
kgaikwad
kingland
kshier
ktsao
kverlaen
lball
lbragsta
lchilton
lgamliel
lhh
ljawale
lphiri
luizcosta
lwan
manissin
mbenjamin
mburns
mgarciac
mhackett
mhess
mkleinhe
mnovotny
mrunge
mstipich
mwringe
nboldt
ngough
nweather
nyancey
oaljalju
oezr
ometelka
orabin
oramraz
pahickey
pakotvan
pbohmill
pgaikwad
pjindal
psrna
ptisnovs
pvasanth
rblanco
rbobbitt
rbryant
rekumar
rexwhite
rfreiman
rhaigner
rhel-process-autobot
rjohnson
rochandr
rojacob
rushinde
sabiswas
sakbas
sausingh
sdawley
sfeifer
simaishi
slucidi
smcdonal
smullick
solenoci
sostapov
sseago
stcannon
sthirugn
stirabos
syedriko
teagle
thason
tzivkovi
vereddy
veshanka
vimartin
vkumar
vle
vvoronko
vwilson
watson-tool-maintainers
weaton
wenshen
whayutin
wtam
xdharmai
xiyuan
yguenane