Overview
About vulnerability
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.Details
- Affected product:
- GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric , Grafana , Loki , argocd , bufbuild/protoc-gen-validate , census-ecosystem/opencensus-go-exporter-ocagent/ocagent , census-instrumentation/opencensus-go , census-instrumentation/opencensus-proto , cloud.google.com/go , cloud.google.com/go/assuredworkloads , cloud.google.com/go/bigquery , cloud.google.com/go/bigtable , cloud.google.com/go/compute , cloud.google.com/go/container , cloud.google.com/go/containeranalysis , cloud.google.com/go/datacatalog , cloud.google.com/go/datastore , cloud.google.com/go/iam , cloud.google.com/go/kms , cloud.google.com/go/pubsub , cloud.google.com/go/spanner , cloud.google.com/go/storage , cloud.google.com/go/translate , cncf/xds/go , denisenkom/go-mssqldb , envoyproxy/go-control-plane , etcd-io/etcd/api , etcd-io/etcd/client , fsouza/fake-gcs-server , github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric , github.com/census-instrumentation/opencensus-proto , github.com/cncf/xds/go , github.com/denisenkom/go-mssqldb , github.com/envoyproxy/protoc-gen-validate , github.com/fsouza/fake-gcs-server , github.com/go-kit/kit , github.com/go-openapi/runtime , github.com/google/s2a-go , github.com/googleapis/google-cloud-go-testing , github.com/grafana/dataplane/sdata , github.com/grafana/e2e , github.com/grafana/grafana-app-sdk , github.com/grafana/grafana-aws-sdk , github.com/grafana/grafana-azure-sdk-go , github.com/grafana/grafana-plugin-sdk-go , github.com/grafana/grafana/apps/playlist , github.com/grafana/grafana/pkg/aggregator , github.com/grafana/grafana/pkg/apiserver , github.com/grafana/grafana/pkg/promlib , github.com/grafana/grafana/pkg/storage/unified/apistore , github.com/grafana/otel-profiling-go , github.com/grafana/sqlds , github.com/grafana/tempo , github.com/grpc-ecosystem/go-grpc-middleware , github.com/hashicorp/consul , github.com/heroku/x , github.com/influxdata/telegraf , github.com/lyft/protoc-gen-star , github.com/openfga/openfga , github.com/prometheus/alertmanager , github.com/prometheus/prometheus , github.com/redis/rueidis , github.com/sagikazarmark/crypt , github.com/spf13/afero , github.com/spf13/viper , go-kit/kit , go-openapi/runtime , go.etcd.io/etcd/client , go.opentelemetry.io/contrib/detectors/gcp , go.opentelemetry.io/contrib/samplers/jaegerremote , go.opentelemetry.io/otel/exporters/jaeger , go.opentelemetry.io/otel/exporters/otlp/otlpmetric , go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc , go.opentelemetry.io/otel/exporters/otlp/otlptrace , go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc , go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp , go.opentelemetry.io/otel/sdk , go.opentelemetry.io/otel/sdk/export/metric , go.opentelemetry.io/otel/sdk/metric , google.golang.org/genproto , google.golang.org/grpc , google.golang.org/grpc/stats/opentelemetry , google/s2a-go , googleapis/gax-go , googleapis/go-genproto , googleapis/google-api-go-client , googleapis/google-cloud-go , googleapis/google-cloud-go-testing , googleapis/google-cloud-go/assuredworkloads , googleapis/google-cloud-go/auth , googleapis/google-cloud-go/bigquery , googleapis/google-cloud-go/bigtable , googleapis/google-cloud-go/compute , googleapis/google-cloud-go/container , googleapis/google-cloud-go/containeranalysis , googleapis/google-cloud-go/datacatalog , googleapis/google-cloud-go/datastore , googleapis/google-cloud-go/iam , googleapis/google-cloud-go/kms , googleapis/google-cloud-go/monitoring , googleapis/google-cloud-go/pubsub , googleapis/google-cloud-go/spanner , googleapis/google-cloud-go/storage , googleapis/google-cloud-go/translate , grafana/dataplane/sdata , grafana/e2e , grafana/grafana-app-sdk , grafana/grafana-aws-sdk , grafana/grafana-azure-sdk-go , grafana/grafana-openapi-client-go , grafana/grafana-plugin-sdk-go , grafana/grafana/apps/alerting/notifications , grafana/grafana/apps/investigation , grafana/grafana/apps/playlist , grafana/grafana/pkg/aggregator , grafana/grafana/pkg/apiserver , grafana/grafana/pkg/promlib , grafana/grafana/pkg/storage/unified/apistore , grafana/otel-profiling-go , grafana/sqlds , grafana/tempo , grpc-ecosystem/go-grpc-middleware , grpc/grpc-go , grpc/grpc-go/stats/opentelemetry , hashicorp/consul , heroku/x , influxdata/telegraf , k8s.io/apiserver , k8s.io/component-base , k8s.io/kube-aggregator , kubernetes-sigs/controller-runtime , kubernetes/apiextensions-apiserver , kubernetes/apiserver , kubernetes/component-base , kubernetes/controller-manager , kubernetes/kube-aggregator , kubernetes/kubernetes , minio , minio/colorjson , minio/object-browser/console , minio/pkg , open-telemetry/opentelemetry-go-contrib/detectors/gcp , open-telemetry/opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc , open-telemetry/opentelemetry-go-contrib/instrumentation/net/http/otelhttp , open-telemetry/opentelemetry-go-contrib/samplers/jaegerremote , open-telemetry/opentelemetry-go/exporters/jaeger , open-telemetry/opentelemetry-go/exporters/otlp/otlpmetric , open-telemetry/opentelemetry-go/exporters/otlp/otlpmetric/otlpmetricgrpc , open-telemetry/opentelemetry-go/exporters/otlp/otlptrace , open-telemetry/opentelemetry-go/exporters/otlp/otlptrace/otlptracegrpc , open-telemetry/opentelemetry-go/exporters/otlp/otlptrace/otlptracehttp , open-telemetry/opentelemetry-go/sdk , open-telemetry/opentelemetry-go/sdk/export/metric , open-telemetry/opentelemetry-go/sdk/metric , openfga/openfga , prometheus/alertmanager , prometheus/prom2json , prometheus/prometheus , redis/rueidis , sagikazarmark/crypt , spf13/afero , spf13/viper
- Affected packages:
- go.opentelemetry.io/otel/sdk @ 1.24.0 (+321 more)