CVE-2026-45678
Buffer Overflow in OpenTelemetry eBPF Instrumentation
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open_telemetry | opentelemetry_ebpf_instrumentation | to 0.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-45678 affects the OpenTelemetry eBPF Instrumentation (OBI) component, specifically its Postgres protocol parser.
The parser assumes that BIND message payloads contain a valid NUL-terminated portal name. However, if a crafted empty or unterminated payload is sent, the parser can slice beyond the end of the captured buffer, causing a runtime panic.
This happens because the code converts the payload to a string, calculates the portal length, and slices the buffer without properly validating the presence of a NUL terminator or ensuring there are enough bytes.
An attacker can exploit this by sending a malformed BIND frame with an empty payload, which crashes the OBI agent and halts telemetry collection for the affected node or process.
The issue was patched in version 0.9.0 of the OBI package.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the OpenTelemetry eBPF Instrumentation agent to crash when it processes a specially crafted malformed BIND message.
The crash results in a runtime panic that halts telemetry collection on the affected node or process, potentially leading to loss of monitoring data and visibility.
Since the vulnerability can be exploited remotely without any privileges or user interaction, it poses a high-severity risk to availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in the OpenTelemetry eBPF Instrumentation (OBI) agent, especially related to the Postgres protocol parser. Since the issue is triggered by malformed BIND message payloads in the Postgres protocol, network traffic inspection tools could be used to identify unusual or malformed BIND frames with empty or unterminated payloads.
However, no specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the OpenTelemetry eBPF Instrumentation (OBI) package to version 0.9.0 or later, where this vulnerability has been patched.
Until the upgrade is applied, monitoring and restricting malformed Postgres BIND messages may help reduce the risk of exploitation, but no specific mitigation commands are provided.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly mention any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.