CVE-2026-45287: CWE-772: Missing Release of Resource after Effective Lifetime in open-telemetry go.opentelemetry.io/otel/schema/v1.1
CVE-2026-45287 is a resource leak vulnerability in OpenTelemetry-Go versions prior to 0. 0. 17, specifically in the go. opentelemetry. io/otel/schema/v1. 0 and v1. 1 packages. The ParseFile function leaks one file descriptor on each successful call because it opens a schema file and passes it to Parse without closing it. This can lead to exhaustion of file descriptors in long-running processes that repeatedly parse schemas, potentially causing denial of service. The vulnerability is patched in version 0.
AI Analysis
Technical Summary
OpenTelemetry-Go versions before 0.0.17 have a resource management flaw in the schema parsing functionality (go.opentelemetry.io/otel/schema/v1.0 and v1.1). The ParseFile function leaks file descriptors by not closing the schema file after parsing, which can exhaust the file descriptor limit in processes that repeatedly call ParseFile. This is classified under CWE-772 (Missing Release of Resource after Effective Lifetime) and CWE-775 (Missing Release of File Descriptor or Handle). The issue is fixed in version 0.0.17.
Potential Impact
The vulnerability can cause denial of service by exhausting the file descriptor limit of a process that repeatedly parses schema files using the vulnerable ParseFile function. Exploitation requires the application to expose repeated schema parsing to attacker-controlled input. The CVSS score is low (2.1), reflecting limited impact and attack complexity.
Mitigation Recommendations
Upgrade to OpenTelemetry-Go version 0.0.17 or later, which contains a patch that properly closes file descriptors after parsing schema files. No other mitigation is indicated or necessary.
CVE-2026-45287: CWE-772: Missing Release of Resource after Effective Lifetime in open-telemetry go.opentelemetry.io/otel/schema/v1.1
Description
CVE-2026-45287 is a resource leak vulnerability in OpenTelemetry-Go versions prior to 0. 0. 17, specifically in the go. opentelemetry. io/otel/schema/v1. 0 and v1. 1 packages. The ParseFile function leaks one file descriptor on each successful call because it opens a schema file and passes it to Parse without closing it. This can lead to exhaustion of file descriptors in long-running processes that repeatedly parse schemas, potentially causing denial of service. The vulnerability is patched in version 0.
CVSS v4.0
Score 2.1low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenTelemetry-Go versions before 0.0.17 have a resource management flaw in the schema parsing functionality (go.opentelemetry.io/otel/schema/v1.0 and v1.1). The ParseFile function leaks file descriptors by not closing the schema file after parsing, which can exhaust the file descriptor limit in processes that repeatedly call ParseFile. This is classified under CWE-772 (Missing Release of Resource after Effective Lifetime) and CWE-775 (Missing Release of File Descriptor or Handle). The issue is fixed in version 0.0.17.
Potential Impact
The vulnerability can cause denial of service by exhausting the file descriptor limit of a process that repeatedly parses schema files using the vulnerable ParseFile function. Exploitation requires the application to expose repeated schema parsing to attacker-controlled input. The CVSS score is low (2.1), reflecting limited impact and attack complexity.
Mitigation Recommendations
Upgrade to OpenTelemetry-Go version 0.0.17 or later, which contains a patch that properly closes file descriptors after parsing schema files. No other mitigation is indicated or necessary.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T20:14:43.200Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a219e6ae29bf47b50b4476e
Added to database: 6/4/2026, 3:48:58 PM
Last enriched: 6/4/2026, 4:03:39 PM
Last updated: 6/4/2026, 5:04:18 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.