CVE Catalog

CVE-2026-45287

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

OpenTelemetry-Go prior to version 0.0.17 has a file descriptor leak issue on each successful `ParseFile` call, which can lead to exhausting the file descriptor limit in a long-running process.

Risk Assessment

If exploited, an attacker can cause denial of service by exhausting available file descriptors, impacting application stability.

Recommendation

It is recommended to upgrade to version 0.0.17 or later to patch this vulnerability and prevent potential attacks.

Original NVD description (English source)

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS