CVE-2026-39883
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
描述
## Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin `ioreg` command to use an absolute path but left the BSD `kenv` command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. ## Root Cause `sdk/resource/host_id.go` line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The `execCommand` helper at `sdk/resource/host_id_exec.go` uses `exec.Command(name, arg...)` which searches `$PATH` when the command name contains no path separator. Affected platforms (per build tag in `host_id_bsd.go:4`): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The `kenv` path is reached when `/etc/hostid` does not exist (line 38-40), which is common on FreeBSD systems. ## Attack 1. Attacker has local access to a system running a Go application that imports `go.opentelemetry.io/otel/sdk` 2. Attacker places a malicious `kenv` binary earlier in `$PATH` 3. Application initializes OpenTelemetry resource detection at startup 4. `hostIDReaderBSD.read()` calls `exec.Command("kenv", ...)` which resolves to the malicious binary 5. Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. ## Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, `kenv` is located at `/bin/kenv`.
如何修補 CVE-2026-39883
要修補 CVE-2026-39883,請將受影響套件升級到下列已修補版本。
- —升級至 1.43.0 或更新版本
CVE-2026-39883 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 1.15.0, < 1.43.0