CVE-2026-45686
7.5 HIGHOpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard
Published: 2026-06-02 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-190
Affected products
| Vendor | Product |
|---|---|
| opentelemetry | ebpf_instrumentation |
Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek. This issue has been patched in version 0.9.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45686
- [Other]https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0
- [Vendor advisory]https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-43g7-cwr8-q3jh
- [Vendor advisory]https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-43g7-cwr8-q3jh
Related CVEs
Same vendor
- CVE-2026-45685 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (7.5 HIGH)
- CVE-2026-45684 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (4.9 MEDIUM)
- CVE-2026-45683 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (3.8 LOW)
- CVE-2026-45682 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (5.1 MEDIUM)
- CVE-2026-45681 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (5.9 MEDIUM)
Same CWE
- CVE-2025-66280 — An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions
- CVE-2026-34711 — CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability (7.5 HIGH)
- CVE-2026-47925 — Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could... (5.5 MEDIUM)
- CVE-2023-29146 — The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed dat... (8.2 HIGH)
- CVE-2026-47291 — Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network (9.8 CRITICAL)