HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45686Published Modified CNA GitHub_M

CVE-2026-45686: OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek. This issue has been patched in version 0.9.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer overflow in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows a remote, unauthenticated attacker to crash the OBI process by sending a crafted Memcached storage command. The Memcached text protocol parser accepts an oversized byte-count value, adds a delimiter length without bounds checking, and wraps the result to a negative number, triggering a runtime panic in LargeBufferReader.Peek. Successful exploitation causes a full denial of service of the OBI instrumentation process. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45686 is available across every HarborGuard environment. Affected image layers running opentelemetry-ebpf-instrumentation versions 0.7.0 through 0.8.x are matched against upstream feed data within minutes of publication, covering both pulled base images and custom-built images in customer registries and CI pipelines.

Available
Triage

Triage is available automatically for any matched image, scored at CVSS 7.5 HIGH using the v3.1 vector from the upstream record. Per-environment compliance policy weighting is applied, and findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a corrected release. In the interim, compensating controls such as network-policy isolation restricting Memcached traffic to trusted sources are surfaced as advisory notes on the finding.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable parser is exposed over the network; an attacker must be able to send a crafted Memcached storage command to a reachable OBI-instrumented endpoint.

  • AuthenticationNot required

    No credentials or account of any privilege level are required to send the malicious request.

  • Victim interactionNot required

    No user action is needed; the attacker triggers the panic entirely through a single crafted network request.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable, requiring no race condition, memory-layout knowledge, or environmental setup beyond network access.

Blast Radius

  • The OBI process crashes immediately, halting all eBPF-based telemetry collection for every service instrumented through that OBI instance.
  • Loss of observability data during the outage leaves operators blind to application performance, error rates, and distributed traces until OBI is restarted.
  • Repeated crashes via automated requests can keep OBI in a persistent restart loop, producing an extended denial-of-service condition rather than a one-time outage.

How HarborGuard Handles This

Available on HarborGuard: images containing opentelemetry-ebpf-instrumentation in the affected version range are flagged in every registry and pipeline scan as soon as the CVE feed is ingested. Because no upstream patch exists yet, HarborGuard monitors the advisory on each ingest cycle and will surface a patched-image rebuild automatically the moment version 0.9.0 or a later fix is published upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version is available. In the meantime, compensating controls to consider include applying network policies that restrict which sources can reach Memcached ports on OBI-instrumented hosts, adding egress filtering to reduce the attack surface, and where operationally feasible, temporarily disabling Memcached text-protocol parsing via feature configuration until the upstream fix lands.

See how HarborGuard automates this
Affected packages
  • open-telemetry / opentelemetry-ebpf-instrumentation
    >= 0.7.0, < 0.9.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References