CVE-2026-39883
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
Description
## Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin `ioreg` command to use an absolute path but left the BSD `kenv` command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. ## Root Cause `sdk/resource/host_id.go` line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The `execCommand` helper at `sdk/resource/host_id_exec.go` uses `exec.Command(name, arg...)` which searches `$PATH` when the command name contains no path separator. Affected platforms (per build tag in `host_id_bsd.go:4`): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The `kenv` path is reached when `/etc/hostid` does not exist (line 38-40), which is common on FreeBSD systems. ## Attack 1. Attacker has local access to a system running a Go application that imports `go.opentelemetry.io/otel/sdk` 2. Attacker places a malicious `kenv` binary earlier in `$PATH` 3. Application initializes OpenTelemetry resource detection at startup 4. `hostIDReaderBSD.read()` calls `exec.Command("kenv", ...)` which resolves to the malicious binary 5. Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. ## Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, `kenv` is located at `/bin/kenv`.
How to fix CVE-2026-39883
To remediate CVE-2026-39883, upgrade the affected package to a fixed version below.
- —upgrade to 1.43.0 or later
Is CVE-2026-39883 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.15.0, < 1.43.0