How is CVE-2026-45685 exploited?

Network reachability (required): The attacker must reach the telemetry agent's MongoDB TCP parser over the network; any service exposed on a routable network interface is in scope. Authentication (not-required): No credentials or session token are needed; the parser processes raw wire messages before any authentication check occurs. Victim interaction (not-required): No user action is required; the attacker sends the crafted message directly to the listening agent. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors are required to trigger the panic.

What is the impact of CVE-2026-45685?

Crashes the OpenTelemetry eBPF telemetry agent process, ending all telemetry collection for the node it runs on. Blinds observability pipelines that depend on this agent, eliminating traces, metrics, and logs from the affected host until the process is restarted. Confidentiality and data integrity of stored records are not affected; this is a pure availability impact.

Back to search

HIGHCVE-2026-45685Published 2026-06-02Modified 2026-06-02CNA GitHub_M

CVE-2026-45685: OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node. This issue has been patched in version 0.9.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the OpenTelemetry eBPF Instrumentation MongoDB TCP parser, affecting versions 0.1.0 through 0.8.x. A remote, unauthenticated attacker can send a single crafted MongoDB wire message over the network, triggering an uncaught panic that crashes the telemetry agent. Successful exploitation terminates telemetry collection for the affected process or node. A patched-image rebuild at version 0.9.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle opentelemetry-ebpf-instrumentation. Any image resolving to a version in the range 0.1.0 through 0.8.x is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and surfaces it through each customer org's compliance-policy weighting, routing alerts to the team or inbox configured for high-severity findings in that environment.

Available

Patch

Because the fix is published at version 0.9.0, a patched-image rebuild at that version is available on HarborGuard for any environment whose scanned images contain an affected release. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the telemetry agent's MongoDB TCP parser over the network; any service exposed on a routable network interface is in scope.
AuthenticationNot required
No credentials or session token are needed; the parser processes raw wire messages before any authentication check occurs.
Victim interactionNot required
No user action is required; the attacker sends the crafted message directly to the listening agent.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are required to trigger the panic.

Blast Radius

Crashes the OpenTelemetry eBPF telemetry agent process, ending all telemetry collection for the node it runs on.
Blinds observability pipelines that depend on this agent, eliminating traces, metrics, and logs from the affected host until the process is restarted.
Confidentiality and data integrity of stored records are not affected; this is a pure availability impact.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-45685 is active across all customer environments, matching images that carry opentelemetry-ebpf-instrumentation in the affected version range. A patched-image rebuild at version 0.9.0 is available; for customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs regression tests, and opens a PR against affected workloads (median time to merged patch PR for high-severity issues is around 90 minutes). For environments where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with fix-version detail so teams can act manually. While waiting to upgrade, compensating controls worth considering include network-policy rules that restrict which sources can send raw MongoDB wire traffic to the agent port, and egress filtering at the node level to limit unexpected inbound payload paths to the parser.

See how HarborGuard automates this

Affected packages

open-telemetry / opentelemetry-ebpf-instrumentation
>= 0.1.0, < 0.9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified