CVE-2026-45287
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
OpenTelemetry-Go prior to version 0.0.17 has a file descriptor leak issue on each successful `ParseFile` call, which can lead to exhausting the file descriptor limit in a long-running process.
Risk Assessment
If exploited, an attacker can cause denial of service by exhausting available file descriptors, impacting application stability.
Recommendation
It is recommended to upgrade to version 0.0.17 or later to patch this vulnerability and prevent potential attacks.
Original NVD description (English source)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

