Mralias

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x **Description** An integer overflow exists in the memcached text protocol parser of OpenTelemetry eBPF Instrumentation (OBI). When parsing memcached storage commands such as `set`, `add`, `replace`, `append`, `prepend`, or `cas`, the system accepts extremely large values for the `bytes` variable and adds the payload delimiter length without verifying for an overflow. A crafted request where `bytes` is set to `math.MaxInt` or `math.MaxInt-1` causes the computed payload length to wrap to a negative value, triggering a runtime panic in the `LargeBufferReader.Peek()` function. This can lead to a remote denial of service, crashing the OBI process and resulting in the loss of telemetry collection. **Recommendations** Update OpenTelemetry eBPF Instrumentation to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 **Description** The replacement ELF parser trusts section offsets, counts, and string offsets from executable files. A crafted local ELF file can cause the agent to dereference invalid section pointers or slice past string tables, leading to a panic while determining the process language. This results in a local denial of service against the telemetry agent, allowing a local user to crash the agent and interrupt observability for other workloads. Technical details include the `matchExeSymbols()` function iterating over sections using unvalidated `fastelf` context, and the `GetCStringUnsafe()` and `ReadStruct()` functions performing unsafe slicing and pointer conversion without guarding against out-of-range or negative offsets. Additionally, `NewElfContextFromData()` trusts `Shoff`, `Shnum`, and `Phnum` from the ELF header without validating offsets. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 **Description** The Postgres protocol parser incorrectly assumes that `BIND` message payloads contain a valid NUL-terminated portal name. When processing a crafted empty or unterminated payload, the system may slice beyond the end of the captured buffer, leading to a runtime panic. This occurs within the `BIND` case logic where the system computes `portalLen` and slices `msg.data` without verifying if the buffer contains a NUL terminator or sufficient bytes. This can result in a remote availability issue where an attacker sending malformed Postgres traffic to a monitored service crashes the agent, halting telemetry collection. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 **Description** OpenTelemetry eBPF Instrumentation exports raw Redis error text as the span status message. Because Redis error replies can contain sensitive values or attacker-controlled data, this behavior can lead to the exfiltration of tokens, personally identifiable information (PII), or other confidential input into telemetry backends. Additionally, it allows the injection of untrusted text into downstream analysis systems. The issue occurs because the `getRedisError()` function trims the raw error buffer and stores it directly in `request.DBError.Description`, which is subsequently returned as the exported status message for Redis spans when the span status is non-zero, without any sanitization beyond CRLF trimming. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 **Description** OpenTelemetry eBPF Instrumentation (OBI) replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop during every collection interval. This occurs because the `calculateStats()` function calculates `deltaCount` as the difference between `bp.runCount` and `bp.prevRunCount` without applying a cap. The exporter then iterates through `probeMetrics` and executes a loop based on `metric.count`, invoking the `BpfProbeLatency()` function for each individual recorded hit. Consequently, CPU consumption becomes proportional to the number of probe hits rather than the number of metric series, which can lead to an availability issue in the internal metrics path when tracing high-volume workloads. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 **Description** The per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can reach up to 8KB. If a CPU mismatch occurs between producer and consumer contexts, the system can read beyond the fallback buffer, leading to a memory leak of adjacent data into telemetry. This issue specifically affects the HTTP tracing path when context propagation is enabled, the `tpinjector` sock msg path is active, and HTTP large-buffer capture is configured with a non-zero size. Technical details involve the `fallback buf` in `msg buffer t` and the use of `real size` to read payload data from `u buf`, which causes an over-read when the smaller fallback buffer is utilized. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 **Description** A memory leak exists in the custom `CappedConcurrentHashMap` used for Java TLS state tracking. The `remove()` function deletes entries from the map but fails to remove the corresponding keys from the insertion-order queue. In long-running instrumented JVMs with frequent connection churn, this queue grows without bound, potentially leading to long garbage collection pauses or heap memory exhaustion resulting in an `OutOfMemoryError`. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 **Description** The Java TLS ioctl probe incorrectly uses the `bpf probe read` function instead of `bpf probe read user` when reading user-controlled ioctl pointers. This occurs within the `do vfs ioctl` kprobe hook, which treats the third ioctl argument as a structured buffer and reads fields such as the operation byte from `arg`, connection metadata from `arg + 1`, and payload length from `arg + 1 + sizeof(connection info t)`. If the length is greater than zero, the pointer is passed to the `handle buf with connection()` function. Because the pointer originates in user space, the use of `bpf probe read` allows an instrumented local process to provide a kernel pointer, enabling the exfiltration of kernel-resident memory into telemetry systems. This results in a local kernel memory disclosure primitive for deployments that enable Java TLS support. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x **Description** The log enricher mishandles `writev` buffers by reading only the first `iovec` entry while using the total `iov iter.count` as the copy length. When log injection is enabled, a crafted multi-segment `writev` call can cause the software to read and overwrite memory beyond the first segment. This occurs because the ` fill iov()` function resolves only one `struct iovec`, but the ` write()` function uses the total byte count across all segments. This memory safety flaw can lead to the corruption of adjacent application buffers, memory leakage into log events, or process instability. **Recommendations** Update to version 0.9.0. As a temporary workaround, disable the log injection feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions 0.1.0 through 0.8.0 **Description** Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, meaning a single crafted message can terminate telemetry collection for the affected process or node. Technical details include slice-bounds panics in the `parseOpMessage()` and `parseSections()` functions when processing truncated OP MSG packets or malformed document-sequence sections, as well as a runtime panic in the `parseFirstField()` function due to an unchecked type assertion on `field.Value` when processing malformed BSON documents. **Recommendations** Update to version 0.9.0 or later. As a temporary workaround, restrict the telemetry agent from processing MongoDB traffic from untrusted or partially trusted clients to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x **Description** A flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and the instrumentation is running with elevated privileges. The injector trusted the `TMPDIR` variable from the target process and used unsafe file creation semantics, which enables filesystem boundary escape and symlink-based file clobbering. **Recommendations** Update to version 0.8.0.