CVE-2026-39883: PATH Hijacking via Insecure kenv Execution in OpenTelemetry Go SDK

The OpenTelemetry Go SDK provides core telemetry functionality, including automated resource detection to identify host environments. The go.opentelemetry.io/otel/sdk/resource package gathers metadata such as the system UUID to tag generated metrics, logs, and traces. On specific Unix-like operating systems, the SDK relies on external binaries to query this hardware information.

CVE-2026-39883 represents an Untrusted Search Path vulnerability (CWE-426) present in the SDK's BSD and Solaris specific code paths. The vulnerability emerges because the application attempts to execute a system command without specifying its absolute file path. This relative path execution implicitly trusts the environment variable configuration provided to the application process.

An attacker with local system access can exploit this implicit trust to hijack the execution flow. By planting a malicious executable and altering the application's environment, the attacker forces the SDK to run unauthorized code. The compromised process retains all permissions and capabilities of the parent Go application.

The underlying flaw stems from an incomplete remediation of a prior vulnerability, CVE-2026-24051. The previous patch correctly anchored the Darwin-specific ioreg command to an absolute path but neglected the identical anti-pattern in the BSD-specific host_id_bsd.go implementations. The SDK code continued to invoke the kenv utility using a relative string literal.

The SDK processes this command via the execCommand wrapper, which delegates execution to the Go standard library's os/exec.Command function. According to standard library documentation, exec.Command evaluates the provided executable name. If the string lacks a path separator, the exec package performs a resolution lookup utilizing exec.LookPath.

The LookPath function sequentially queries the directories defined in the process's PATH environment variable. It searches for an executable file matching the requested name. The function returns the first match it encounters and terminates the search, granting execution precedence to directories listed earlier in the PATH string.

On FreeBSD systems, this code path activates specifically when the system lacks an /etc/hostid file. The SDK attempts to read /etc/hostid first. When that read operation fails, the application falls back to querying the System Management BIOS (SMBIOS) UUID via the kenv command, triggering the vulnerable path resolution sequence.

The vulnerable implementation resides in the host identification logic for BSD variants. The application attempts to extract the system UUID using the execCommand utility function. The first argument specifies the command name, while subsequent arguments define the command flags.

// Vulnerable implementation in sdk/resource/host_id_bsd.go
if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {
    // Parses the output of the kenv command
    return result, nil
}

The patch introduced in version 1.43.0 modifies the command string to include the absolute path to the system binary. This structural change prevents exec.Command from invoking exec.LookPath entirely, bypassing the PATH environment variable dependency.

// Patched implementation in sdk/resource/host_id_bsd.go
// The command is now hardcoded to the absolute path /bin/kenv
if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {
    // Parses the output of the kenv command
    return result, nil
}

This remediation ensures the Go application unequivocally targets the legitimate system binary. Attackers can no longer intercept the execution flow by prioritizing alternative directories in the environment space.

Exploitation requires the attacker to possess local access to the target host and the authorization to manipulate the environment variables of the OpenTelemetry-instrumented Go application. The attacker must first generate a malicious payload. They compile this payload into an executable binary and name the file exactly kenv.

The attacker deposits this payload into a writable directory, such as /tmp or a user-specific binary folder. The next step involves configuring the PATH environment variable before the target application initializes. The attacker prepends the payload's directory to the environment string.

When the Go application starts and initializes the OpenTelemetry resource detection components, it reaches the host_id extraction logic. The exec.LookPath function inspects the manipulated PATH variable, discovers the malicious kenv binary in the attacker-controlled directory, and executes it in place of the system utility.

Successful exploitation yields arbitrary local code execution. The malicious payload executes with the exact privileges and context of the parent Go application. If the instrumented application runs as an elevated user or service account, the attacker inherits those administrative capabilities.

The compromised execution context allows the attacker to access sensitive data stored in the application's memory space, read proprietary configuration files, or manipulate the telemetry data before the SDK exports it. The CVSS 4.0 score of 7.3 reflects this severe local impact, marking High severity for Confidentiality, Integrity, and Availability.

The vulnerability scope remains constrained by the operating system requirements. Only applications compiled for and executing on DragonFly BSD, FreeBSD, NetBSD, OpenBSD, or Solaris are vulnerable. Linux, macOS, and Windows deployments process host identification through entirely different code paths and are immune to this specific defect.

The primary and most effective remediation requires developers to upgrade the go.opentelemetry.io/otel/sdk module to version 1.43.0 or later. Recompiling the application with the updated dependency permanently neutralizes the vulnerability by enforcing absolute path execution.

If immediate software updates are impossible, system administrators must implement operational mitigations. Operators must audit the environment variables passed to the Go application and ensure the PATH string strictly references trusted, root-owned system directories.

On FreeBSD systems, administrators can implement a definitive configuration workaround. Manually generating a valid /etc/hostid file prevents the SDK from executing the vulnerable fallback code path entirely. The SDK will read the UUID from the static file and bypass the kenv execution.