Threat Advisory

OpenTelemetry eBPF Memory Overflow Vulnerability in Memcached Parser

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT, Critical Infrastructure
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.9. The issues include a remotely reachable integer overflow in the memcached text protocol parser, which can crash the OBI process and cause denial of service. Additionally, malformed MongoDB and Postgres payloads can trigger uncaught panics in the respective parsers, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The vulnerabilities affect business continuity and can lead to significant downtime and financial losses if exploited.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.9. The issues include a remotely reachable integer overflow in the memcached text protocol parser, which can crash the OBI process and cause denial of service. Additionally, malformed MongoDB and Postgres payloads can trigger uncaught panics in the respective parsers, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The vulnerabilities affect business continuity and can lead to significant downtime and financial losses if exploited.[emaillocker id="1283"]

  • CVE-2026-45686 with a CVSS score of 7.5 – A remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands, OBI accepts extremely large `` values and adds the payload delimiter length without checking for overflow. A crafted request with `` set to `math.MaxInt` or `math.MaxInt-1` causes the computed payload length to wrap negative and triggers a runtime panic in `LargeBufferReader.Peek`.
  • CVE-2026-45685 with a CVSS score of 7.5 – Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.
  • CVE-2026-45678 with a CVSS score of 7.5 – The Postgres protocol parser assumes `BIND` message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic. This is a remote availability issue in OBI's Postgres parser, allowing any attacker able to send malformed Postgres traffic to a monitored service to crash the agent and stop telemetry collection for that node or process.

These vulnerabilities pose a significant risk to business continuity, as they can lead to prolonged downtime and financial losses if exploited. It is essential to prioritize patching and upgrading to the latest version of OBI (0.9.0) to mitigate these risks.

RECOMMENDATION:

  • We recommend you to update go/opentelemetry.io/obi to version 0.9.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-43g7-cwr8-q3jh
https://github.com/advisories/GHSA-j8p6-96vp-f3r9
https://github.com/advisories/GHSA-pgvv-q3wf-mm9m

[/emaillocker]
crossmenu