CVE-2026-41433 - Vulnerability Analysis
HighCVSS: 8.4Last Updated: April 24, 2026
OpenTelemetry eBPF Instrumentation - Path Traversal
Published: April 24, 2026Updated: April 24, 2026
Overview
OpenTelemetry eBPF Instrumentation 0.4.0 to < 0.8.0 contains a file system boundary escape and symlink-based file clobbering vulnerability caused by unsafe file creation semantics in the Java agent injection path, letting local attackers overwrite arbitrary host files when Java injection is enabled and running with elevated privileges, exploit requires elevated privileges.
Severity & Score
Severity: High
CVSS Score: 8.4
Impact
Local attackers with elevated privileges can overwrite arbitrary host files, potentially leading to system compromise or data loss.
Mitigation
Upgrade to version 0.8.0 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-41433
- Severity
- High
- CVSS Score
- 8.4
- Type
- path_traversal
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H