Local Attack Drives Code Execution in OpenTelemetry SDK

Threat: Vulnerability

Threat Actor Name: -

Threat Actor Type: -

Targeted Region: Global

Alias: -

Threat Actor Region: -

Targeted Sector: Technology & IT

Criticality: High

[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The vulnerability tracked as CVE‑2026‑39883 impacts the OpenTelemetry Go SDK where the BSD kenv command call does not use an absolute file path, resulting in an untrusted search path condition that could be abused for PATH hijacking. In affected versions of the SDK library, an attacker with local or build environment access could place a malicious binary earlier in the system PATH so that the instrumentation library inadvertently executes the attacker‑controlled kenv program during resource detection. Successful exploitation can lead to arbitrary code execution in the context of applications linking the vulnerable SDK on BSD‑derived platforms, posing significant risks to confidentiality, integrity, and availability. This issue was addressed by switching to the absolute path for the kenv command and eliminating the unsafe search behavior. The vulnerability has a CVSS score of 7.3.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

RECOMMENDATION:

We recommend you to update go.opentelemetry.io/otel/sdk to version 1.43.0 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-hfvc-g4fc-pqhx

[/emaillocker]

Recent Advisories

PowMix Botnet Uses Multi-Stage PowerShell Execution Flow

April 17, 2026

UAC-0247 Uses AgingFly Malware for System Control

April 17, 2026

Fake Adobe Reader Download Delivers ScreenConnect Through Stealthy In-Memory Loader

April 17, 2026

Fake Claude site installs malware that gives attackers access to your computer

April 17, 2026

Local Attack Drives Code Execution in OpenTelemetry SDK

Recent Advisories

Report an Incident