PT-2026-41783 · Opentelemetry · @Opentelemetry/Instrumentation
Mralias
·
Published
2026-05-18
·
Updated
2026-07-09
·
CVE-2026-45678
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description
The Postgres protocol parser incorrectly assumes that
BIND message payloads contain a valid NUL-terminated portal name. When processing a crafted empty or unterminated payload, the system may slice beyond the end of the captured buffer, leading to a runtime panic. This occurs within the BIND case logic where the system computes portalLen and slices msg.data without verifying if the buffer contains a NUL terminator or sufficient bytes. This can result in a remote availability issue where an attacker sending malformed Postgres traffic to a monitored service crashes the agent, halting telemetry collection.Recommendations
Update to version 0.9.0.
Exploit
Fix
Improper Check for Exceptional Conditions
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Opentelemetry/Instrumentation