PT-2026-41791 · Opentelemetry · @Opentelemetry/Instrumentation
Mralias
·
Published
2026-05-18
·
Updated
2026-07-09
·
CVE-2026-45686
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x
Description
An integer overflow exists in the memcached text protocol parser of OpenTelemetry eBPF Instrumentation (OBI). When parsing memcached storage commands such as
set, add, replace, append, prepend, or cas, the system accepts extremely large values for the bytes variable and adds the payload delimiter length without verifying for an overflow. A crafted request where bytes is set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap to a negative value, triggering a runtime panic in the LargeBufferReader.Peek() function. This can lead to a remote denial of service, crashing the OBI process and resulting in the loss of telemetry collection.Recommendations
Update OpenTelemetry eBPF Instrumentation to version 0.9.0.
Exploit
Fix
DoS
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Opentelemetry/Instrumentation