Upstream information

CVE-2026-39883 at MITRE

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail CNA (0b0ca135-0b70-47e7-9f44-1890c2a1c46c) CNA (CISA-ADP) National Vulnerability Database
Base Score 8.8 7 7
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local Local Local
Attack Complexity Low High High
Privileges Required Low Low Low
User Interaction None None None
Scope Changed Unchanged Unchanged
Confidentiality Impact High High High
Integrity Impact High High High
Availability Impact High High High
CVSSv3 Version 3.1 3.1 3.1
CVSS v4 Scores
CVSS detail CNA (GitHub)
Base Score 7.3
Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity High
Attack Requirements None
Privileges Required Low
User Interaction None
Vulnerable System Confidentiality Impact High
Vulnerable System Integrity Impact High
Vulnerable System Availability Impact High
Subsequent System Confidentiality Impact None
Subsequent System Integrity Impact None
Subsequent System Availability Impact None
CVSSv4 Version 4.0
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • etcd >= 3.6.13-1.1
  • etcdctl >= 3.6.13-1.1
  • etcdutl >= 3.6.13-1.1
Patchnames:
openSUSE-Tumbleweed-2026-11173


SUSE Timeline for this CVE

CVE page created: Thu Apr 9 00:19:17 2026
CVE page last modified: Fri Jul 3 13:45:02 2026