CVE-2026-45676: OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent

May 18, 2026

OBI’s replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.

References

github.com/advisories/GHSA-wp73-mwgf-4jq9
github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-wp73-mwgf-4jq9
nvd.nist.gov/vuln/detail/CVE-2026-45676

Code Behaviors & Features

Detect and mitigate CVE-2026-45676 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →