CVE-2026-45678
Analyzed Analyzed - Analysis Complete
Buffer Overflow in OpenTelemetry eBPF Instrumentation

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic. This issue has been patched in version 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-45678
EUVD
EUVD-2026-33952
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry ebpf_instrumentation to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-45678 affects the OpenTelemetry eBPF Instrumentation (OBI) component, specifically its Postgres protocol parser.

The parser assumes that BIND message payloads contain a valid NUL-terminated portal name. However, if a crafted empty or unterminated payload is sent, the parser can slice beyond the end of the captured buffer, causing a runtime panic.

This happens because the code converts the payload to a string, calculates the portal length, and slices the buffer without properly validating the presence of a NUL terminator or ensuring there are enough bytes.

An attacker can exploit this by sending a malformed BIND frame with an empty payload, which crashes the OBI agent and halts telemetry collection for the affected node or process.

The issue was patched in version 0.9.0 of the OBI package.

Impact Analysis

This vulnerability can impact you by causing the OpenTelemetry eBPF Instrumentation agent to crash when it processes a specially crafted malformed BIND message.

The crash results in a runtime panic that halts telemetry collection on the affected node or process, potentially leading to loss of monitoring data and visibility.

Since the vulnerability can be exploited remotely without any privileges or user interaction, it poses a high-severity risk to availability.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in the OpenTelemetry eBPF Instrumentation (OBI) agent, especially related to the Postgres protocol parser. Since the issue is triggered by malformed BIND message payloads in the Postgres protocol, network traffic inspection tools could be used to identify unusual or malformed BIND frames with empty or unterminated payloads.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade the OpenTelemetry eBPF Instrumentation (OBI) package to version 0.9.0 or later, where this vulnerability has been patched.

Until the upgrade is applied, monitoring and restricting malformed Postgres BIND messages may help reduce the risk of exploitation, but no specific mitigation commands are provided.

Compliance Impact

The provided information does not explicitly mention any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45678. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart