CVE•Published 2026-06-04•Modified 2026-06-08•0 articles on news•6 live references•NVD data

CVE-2026-45287

Vulnerability data via NVD (ingested)

CVSS v3.1

—

EPSS percentile

Exploit Prediction Scoring System · top 98% of all CVEs

Weaknesses (CWE)

CWE-772Missing Release of Resource after Effective Lifetime CWE-775Missing Release of File Descriptor or Handle after Effective Lifetime

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

Timeline

Published 2026-06-04

Modified 2026-06-08

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-45287

Hosts Shodan has explicitly fingerprinted as vulnerable.

More intel sources (5)

Shodan report

vuln:CVE-2026-45287

Country / ASN / product breakdown for the vuln query.

Censys

vulnerabilities.cve_id: CVE-2026-45287

Censys host search filtered to this CVE id.

grep.app

CVE-2026-45287