PT-2026-41783 · Opentelemetry · @Opentelemetry/Instrumentation

Mralias

·

Published

2026-05-18

·

Updated

2026-07-09

·

CVE-2026-45678

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description The Postgres protocol parser incorrectly assumes that BIND message payloads contain a valid NUL-terminated portal name. When processing a crafted empty or unterminated payload, the system may slice beyond the end of the captured buffer, leading to a runtime panic. This occurs within the BIND case logic where the system computes portalLen and slices msg.data without verifying if the buffer contains a NUL terminator or sufficient bytes. This can result in a remote availability issue where an attacker sending malformed Postgres traffic to a monitored service crashes the agent, halting telemetry collection.
Recommendations Update to version 0.9.0.

Exploit

Fix

Improper Check for Exceptional Conditions

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45678
GHSA-PGVV-Q3WF-MM9M
GO-2026-5539
OPENSUSE-SU-2026:11053-1
OPENSUSE-SU-2026:21251-1
SUSE-SU-2026:2824-1

Affected Products

@Opentelemetry/Instrumentation