Exploit for Deserialization of Untrusted Data in Linuxfoundation Opentelemetry_Instrumentation_For_Java
Details
CVSS v3
9.8
CVSS v4
9.3
NVD published
2026-03-27 01:16:19
EPSS
0.4% probability · 60.9th percentile — 2026-04-03
Affected versions
OpenTelemetry Java Instrumentation prior to 2.26.1 on JDK 16 and earlier
Summary
This is a remote code execution vulnerability caused by unsafe deserialization of untrusted input in the RMI instrumentation component. Attackers with network access to an exposed JMX/RMI port can exploit this flaw to run arbitrary code with the privileges of the running JVM. Exploitation requires JDK 16 or older and a compatible gadget chain on the classpath.
Remediation
Upgrade OpenTelemetry Java Instrumentation to version 2.26.1 or later to remediate this issue. If an upgrade is not immediately possible, disable RMI instrumentation by setting the system property `-Dotel.instrumentation.rmi.enabled=false`. Block public access to JMX/RMI ports for untrusted networks.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.