CVE-2026-45685
Denial of Service in OpenTelemetry eBPF Instrumentation
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open_telemetry | opentelemetry_ebpf_instrumentation | From 0.1.0 (inc) to 0.9.0 (exc) |
| open_telemetry | go.opentelemetry.io/obi | From 0.1.0 (inc) to 0.8.0 (inc) |
| open_telemetry | go.opentelemetry.io/obi | From 0.1.0 (inc) to 0.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a remote unauthenticated attacker to cause a denial of service by crashing the telemetry agent, which halts telemetry collection until the agent is manually restarted.
This interruption in telemetry collection could impact the ability to monitor and log system activities, potentially affecting compliance with standards and regulations such as GDPR and HIPAA that require continuous monitoring and auditing of systems for security and data protection.
However, there is no direct information provided about specific compliance impacts or regulatory violations caused by this vulnerability.
Can you explain this vulnerability to me?
CVE-2026-45685 is a vulnerability in the OpenTelemetry eBPF instrumentation project, specifically in the MongoDB TCP parser component of the go.opentelemetry.io/obi package versions 0.1.0 through 0.8.0. The issue arises because malformed MongoDB wire messages can trigger uncaught panics in the parser.
There are three distinct panic conditions: two involve slice-bounds errors in functions that fail to properly validate buffer lengths before accessing memory, and the third involves an unchecked type assertion that can cause a runtime panic due to invalid interface conversion. These panics cause the telemetry agent process to crash.
Because the parser operates on raw, attacker-controlled network payloads before full validation, a remote unauthenticated attacker can send specially crafted MongoDB messages to trigger these panics, causing a denial of service by crashing the telemetry agent.
How can this vulnerability impact me? :
This vulnerability can cause the telemetry agent to crash and stop collecting telemetry data whenever it processes a malformed MongoDB wire message crafted by an attacker.
The impact is a denial of service condition on the telemetry collection process or node, which means monitoring and observability data may be lost or unavailable until the agent is manually restarted.
Since the attack can be performed remotely without authentication or user interaction, it poses a significant risk to systems relying on OpenTelemetry eBPF instrumentation for MongoDB traffic analysis.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in the OpenTelemetry eBPF instrumentation agent, specifically related to the MongoDB TCP parser. Since malformed MongoDB wire messages trigger uncaught panics, signs of sudden telemetry agent termination or denial of service may indicate exploitation attempts.
Detection can also involve capturing and analyzing MongoDB network traffic for malformed or truncated OP_MSG packets or malformed BSON documents that could trigger the vulnerability.
While no specific commands are provided in the resources, general network packet capture and analysis tools such as tcpdump or Wireshark can be used to inspect MongoDB traffic for anomalies.
- Use tcpdump to capture MongoDB traffic on the relevant network interface, for example: tcpdump -i <interface> port 27017 -w mongo_traffic.pcap
- Analyze captured packets with Wireshark or similar tools to look for malformed MongoDB wire protocol messages.
- Monitor the telemetry agent logs for panic messages or unexpected crashes related to MongoDB TCP parsing.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the OpenTelemetry eBPF instrumentation package to version 0.9.0 or later, where this vulnerability has been patched.
Until the upgrade can be applied, consider disabling MongoDB parsing in the telemetry agent if possible, especially if processing untrusted or partially trusted MongoDB traffic.
Additionally, monitor the telemetry agent for crashes and restart it promptly if it terminates to minimize downtime.
Restrict network access to the telemetry agent to trusted sources to reduce exposure to crafted malicious MongoDB wire messages.