#1139168 golang-opentelemetry-otel: CVE-2026-45287

Package:
src:golang-opentelemetry-otel
Source:
src:golang-opentelemetry-otel
Submitter:
Salvatore Bonaccorso
Date:
2026-06-06 19:01:02 UTC
Severity:
normal
Tags:
#1139168#5
Date:
2026-06-06 18:58:49 UTC
From:
To:
Hi,

The following vulnerability was published for golang-opentelemetry-otel.

CVE-2026-45287[0]:
| OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to
| version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and
| `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on
| each successful `ParseFile` call. `ParseFile` opens the schema file
| and passes it to `Parse` without closing it; repeated parsing in a
| long-running process can exhaust the process file descriptor limit
| and cause denial of service. Exploitation depends on a consuming
| application exposing repeated schema parsing to an attacker-
| controlled path. Version 0.0.17 contains a patch for the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-45287
https://www.cve.org/CVERecord?id=CVE-2026-45287
[1] https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m
[2] https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore