CVE-2026-45686
Analyzed Analyzed - Analysis Complete
Integer Overflow in OpenTelemetry eBPF Instrumentation

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek. This issue has been patched in version 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-45686
EUVD
EUVD-2026-33959
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry ebpf_instrumentation From 0.7.0 (inc) to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause a denial of service by crashing the OpenTelemetry eBPF Instrumentation (OBI) process. When exploited, OBI stops collecting telemetry data until it is manually restarted.

The impact is that monitoring and observability of the affected system may be lost temporarily, potentially obscuring operational issues or security events.

The attack requires no authentication or privileges against OBI itself, only the ability to send crafted memcached storage commands to the instrumented service.

Executive Summary

CVE-2026-45686 is a high-severity remote denial-of-service vulnerability in the OpenTelemetry eBPF Instrumentation (OBI) component. It arises from an integer overflow in the memcached text protocol parser when processing certain storage commands such as set, add, replace, append, prepend, or cas.

The parser accepts extremely large <bytes> values (up to math.MaxInt) without proper validation. When it calculates the payload length by adding the trailing delimiter length, this addition can overflow and wrap to a negative value. This negative length is then used in a buffer read operation, causing a runtime panic and crashing the OBI process.

An attacker can exploit this by sending a specially crafted memcached storage command to an instrumented service, causing OBI to crash and stop telemetry collection until manually restarted. The vulnerability affects OBI versions from 0.7.0 up to but not including 0.9.0 and has been patched in version 0.9.0.

Detection Guidance

This vulnerability can be detected by monitoring memcached traffic to the OpenTelemetry eBPF Instrumentation (OBI) component for unusually large <bytes> values in storage commands such as set, add, replace, append, prepend, or cas.

Detection involves capturing and inspecting memcached protocol commands to identify if any requests contain extremely large payload size values that could trigger the integer overflow.

Suggested commands include using network packet capture tools like tcpdump or Wireshark to filter memcached traffic and analyze the payload sizes. For example:

  • tcpdump -i <interface> -s 0 -w memcached_traffic.pcap port 11211
  • Use Wireshark or tshark to inspect the captured traffic for memcached storage commands with suspiciously large <bytes> values.
  • Alternatively, use command-line tools or scripts to parse memcached logs or traffic for commands with payload sizes near math.MaxInt or very large values.

Additionally, monitoring the OBI process for crashes or runtime panics related to LargeBufferReader.Peek can indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the OpenTelemetry eBPF Instrumentation (OBI) component to version 0.9.0 or later, where this integer overflow vulnerability has been patched.

Until the upgrade can be performed, consider restricting or filtering memcached traffic to the instrumented service to prevent attackers from sending crafted storage commands with extremely large <bytes> values.

Monitoring the OBI process for crashes and restarting it promptly can help maintain telemetry collection availability.

Implement network-level protections such as firewall rules or access controls to limit exposure of memcached ports to untrusted networks.

Compliance Impact

This vulnerability causes a denial of service by crashing the OpenTelemetry eBPF Instrumentation process, which results in loss of telemetry collection until manually restarted.

While the CVE description and resources do not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, loss of telemetry data could potentially affect an organization's ability to monitor and audit system behavior, which is often a requirement under such regulations.

However, there is no direct information provided about data breaches, unauthorized data access, or data integrity issues related to this vulnerability that would explicitly impact compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45686. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart