GHSA-995V-FVRW-C78M
Vulnerability from github – Published: 2026-05-28 17:19 – Updated: 2026-05-28 17:19Summary
go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. The severity is low because exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path.
Introduced in commit: e72a235
Details
In schema/v1.0/parser.go:41-47, ParseFile opens the requested schema path with os.Open and then returns Parse(file) without a defer file.Close() or other close path:
file, err := os.Open(schemaFilePath)
if err != nil {
return nil, err
}
return Parse(file)
The validation evidence also identifies schema/v1.0/parser.go:50-73: Parse accepts an io.Reader, decodes from it, and does not close it. Ownership of the opened file is therefore not transferred to Parse, leaving the descriptor open until the Go runtime eventually finalizes the file object. With repeated ParseFile calls, descriptors can accumulate until the process receives EMFILE / "too many open files".
PoC
The local artifact validation-artifact.zip contains:
leak_poc.go: PoC source that repeatedly callsschema.ParseFile("schema/v1.0/testdata/valid-example.yaml")and prints/proc/self/fdcounts.LEAK_POC_README.txt: reproduction notes.leak_poc_run.log: captured attempted run; the local offline environment failed before execution because Go module download fromproxy.golang.orgwas forbidden.
Reproduce from the root of a checkout of pellared/opentelemetry-go at commit e72a235 with Go module dependencies already available:
/bin/sh -c 'ulimit -n 256; GOGC=off go run leak_poc.go'
Configuration:
- File descriptor soft limit:
256 - Garbage collection: disabled with
GOGC=offso leaked descriptors are not reclaimed during the loop - Schema file:
schema/v1.0/testdata/valid-example.yaml
Expected output is increasing descriptor counts followed by an EMFILE failure, for example:
iter 0 fds 7
iter 50 fds 57
iter 100 fds 107
...
panic: iteration 248: open schema/v1.0/testdata/valid-example.yaml: too many open files
The exact initial descriptor count and failing iteration can vary by OS and process state.
Impact
This is a file descriptor resource leak leading to availability loss. Applications that call schema.ParseFile repeatedly, especially through a runtime reload or request-controlled path, can exhaust their process file descriptor table and fail subsequent file, socket, or other descriptor operations. Impact is limited to denial of service of the consuming process; the evidence does not show confidentiality or integrity impact.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.16"
},
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/otel/schema/v1.1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.16"
},
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/otel/schema/v1.0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45287"
],
"database_specific": {
"cwe_ids": [
"CWE-772",
"CWE-775"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T17:19:10Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\n`go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. The severity is low because exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path.\n\nIntroduced in commit: e72a235\n\n### Details\n\nIn `schema/v1.0/parser.go:41-47`, `ParseFile` opens the requested schema path with `os.Open` and then returns `Parse(file)` without a `defer file.Close()` or other close path:\n\n```go\nfile, err := os.Open(schemaFilePath)\nif err != nil {\n\treturn nil, err\n}\nreturn Parse(file)\n```\n\nThe validation evidence also identifies `schema/v1.0/parser.go:50-73`: `Parse` accepts an `io.Reader`, decodes from it, and does not close it. Ownership of the opened file is therefore not transferred to `Parse`, leaving the descriptor open until the Go runtime eventually finalizes the file object. With repeated `ParseFile` calls, descriptors can accumulate until the process receives `EMFILE` / \"too many open files\".\n\n### PoC\n\n[validation-artifact.zip](https://github.com/user-attachments/files/27494463/validation-artifact.zip)\n\nThe local artifact `validation-artifact.zip` contains:\n\n- `leak_poc.go`: PoC source that repeatedly calls `schema.ParseFile(\"schema/v1.0/testdata/valid-example.yaml\")` and prints `/proc/self/fd` counts.\n- `LEAK_POC_README.txt`: reproduction notes.\n- `leak_poc_run.log`: captured attempted run; the local offline environment failed before execution because Go module download from `proxy.golang.org` was forbidden.\n\nReproduce from the root of a checkout of `pellared/opentelemetry-go` at commit `e72a235` with Go module dependencies already available:\n\n```sh\n/bin/sh -c \u0027ulimit -n 256; GOGC=off go run leak_poc.go\u0027\n```\n\nConfiguration:\n\n- File descriptor soft limit: `256`\n- Garbage collection: disabled with `GOGC=off` so leaked descriptors are not reclaimed during the loop\n- Schema file: `schema/v1.0/testdata/valid-example.yaml`\n\nExpected output is increasing descriptor counts followed by an `EMFILE` failure, for example:\n\n```text\niter 0 fds 7\niter 50 fds 57\niter 100 fds 107\n...\npanic: iteration 248: open schema/v1.0/testdata/valid-example.yaml: too many open files\n```\n\nThe exact initial descriptor count and failing iteration can vary by OS and process state.\n\n### Impact\n\nThis is a file descriptor resource leak leading to availability loss. Applications that call `schema.ParseFile` repeatedly, especially through a runtime reload or request-controlled path, can exhaust their process file descriptor table and fail subsequent file, socket, or other descriptor operations. Impact is limited to denial of service of the consuming process; the evidence does not show confidentiality or integrity impact.",
"id": "GHSA-995v-fvrw-c78m",
"modified": "2026-05-28T17:19:10Z",
"published": "2026-05-28T17:19:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-go"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "opentelemetry-go\u0027s Schema ParseFile leaks file descriptors on each parse"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.