PT-2026-41791 · Opentelemetry · @Opentelemetry/Instrumentation

Mralias

·

Published

2026-05-18

·

Updated

2026-07-09

·

CVE-2026-45686

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x
Description An integer overflow exists in the memcached text protocol parser of OpenTelemetry eBPF Instrumentation (OBI). When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, the system accepts extremely large values for the bytes variable and adds the payload delimiter length without verifying for an overflow. A crafted request where bytes is set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap to a negative value, triggering a runtime panic in the LargeBufferReader.Peek() function. This can lead to a remote denial of service, crashing the OBI process and resulting in the loss of telemetry collection.
Recommendations Update OpenTelemetry eBPF Instrumentation to version 0.9.0.

Exploit

Fix

DoS

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45686
GHSA-43G7-CWR8-Q3JH
GO-2026-5107
OPENSUSE-SU-2026:11053-1
OPENSUSE-SU-2026:21251-1
SUSE-SU-2026:2824-1

Affected Products

@Opentelemetry/Instrumentation