SCA: security update for go.opentelemetry.io/otel/schema/v1.0, go.opentelemetry.io/otel/schema/v1.1 (GHSA-995v-fvrw-c78m)

low Tenable Cloud Security Plugin ID 442438

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17,
`go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file
descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse`
without closing it; repeated parsing in a long-running process can exhaust the process file descriptor
limit and cause denial of service. Exploitation depends on a consuming application exposing repeated
schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.
(CVE-2026-45287)

Solution

Update the go.opentelemetry.io/otel/schema/v1.0 library and its related packages to version 0.0.17 or later.

See Also

https://github.com/advisories/GHSA-995v-fvrw-c78m

Plugin Details

Severity: Low

ID: 442438

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 5/28/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2026-45287

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.1

Threat Score: 1.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/28/2026

Vulnerability Publication Date: 5/28/2026

Reference Information

CVE: CVE-2026-45287