CVE-2026-45686
Integer Overflow in OpenTelemetry eBPF Instrumentation
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open_telemetry | ob_i | From 0.7.0 (inc) to 0.9.0 (exc) |
| open_telemetry | ob_i | 0.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the OpenTelemetry eBPF Instrumentation (OBI) process. When exploited, OBI stops collecting telemetry data until it is manually restarted.
The impact is that monitoring and observability of the affected system may be lost temporarily, potentially obscuring operational issues or security events.
The attack requires no authentication or privileges against OBI itself, only the ability to send crafted memcached storage commands to the instrumented service.
Can you explain this vulnerability to me?
CVE-2026-45686 is a high-severity remote denial-of-service vulnerability in the OpenTelemetry eBPF Instrumentation (OBI) component. It arises from an integer overflow in the memcached text protocol parser when processing certain storage commands such as set, add, replace, append, prepend, or cas.
The parser accepts extremely large <bytes> values (up to math.MaxInt) without proper validation. When it calculates the payload length by adding the trailing delimiter length, this addition can overflow and wrap to a negative value. This negative length is then used in a buffer read operation, causing a runtime panic and crashing the OBI process.
An attacker can exploit this by sending a specially crafted memcached storage command to an instrumented service, causing OBI to crash and stop telemetry collection until manually restarted. The vulnerability affects OBI versions from 0.7.0 up to but not including 0.9.0 and has been patched in version 0.9.0.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring memcached traffic to the OpenTelemetry eBPF Instrumentation (OBI) component for unusually large <bytes> values in storage commands such as set, add, replace, append, prepend, or cas.
Detection involves capturing and inspecting memcached protocol commands to identify if any requests contain extremely large payload size values that could trigger the integer overflow.
Suggested commands include using network packet capture tools like tcpdump or Wireshark to filter memcached traffic and analyze the payload sizes. For example:
- tcpdump -i <interface> -s 0 -w memcached_traffic.pcap port 11211
- Use Wireshark or tshark to inspect the captured traffic for memcached storage commands with suspiciously large <bytes> values.
- Alternatively, use command-line tools or scripts to parse memcached logs or traffic for commands with payload sizes near math.MaxInt or very large values.
Additionally, monitoring the OBI process for crashes or runtime panics related to LargeBufferReader.Peek can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the OpenTelemetry eBPF Instrumentation (OBI) component to version 0.9.0 or later, where this integer overflow vulnerability has been patched.
Until the upgrade can be performed, consider restricting or filtering memcached traffic to the instrumented service to prevent attackers from sending crafted storage commands with extremely large <bytes> values.
Monitoring the OBI process for crashes and restarting it promptly can help maintain telemetry collection availability.
Implement network-level protections such as firewall rules or access controls to limit exposure of memcached ports to untrusted networks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service by crashing the OpenTelemetry eBPF Instrumentation process, which results in loss of telemetry collection until manually restarted.
While the CVE description and resources do not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, loss of telemetry data could potentially affect an organization's ability to monitor and audit system behavior, which is often a requirement under such regulations.
However, there is no direct information provided about data breaches, unauthorized data access, or data integrity issues related to this vulnerability that would explicitly impact compliance.