### Summary An unprivileged process can easily trigger the `processPIDEvents` goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the `openat2` syscall forever and the profiler can no longer work properly, it is a denial of service. ### Impact The impact is limited to denial-of-service on the ebpf-profiler agent: - There has to be a malicious workload albeit unprivileged. - No exfiltration of data. No loss of data. ### Fix Fixed in https://github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4. Fix is part of [v.0.0.202622](https://github.com/open-telemetry/opentelemetry-ebpf-profiler/releases/tag/v0.0.202622).
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free