{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/go.opentelemetry.io/obi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go.opentelemetry.io/obi"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","integer-overflow","memcached","opentelemetry"],"_cs_type":"advisory","_cs_vendors":["opentelemetry"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the memcached text protocol parser within OpenTelemetry eBPF Instrumentation (OBI). The vulnerability resides in the \u003ccode\u003epkg/ebpf/common/memcached_detect_transform.go\u003c/code\u003e file, where the parser lacks proper bounds checking when handling the \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e field of memcached storage commands (\u003ccode\u003eset\u003c/code\u003e, \u003ccode\u003eadd\u003c/code\u003e, \u003ccode\u003ereplace\u003c/code\u003e, \u003ccode\u003eappend\u003c/code\u003e, \u003ccode\u003eprepend\u003c/code\u003e, \u003ccode\u003ecas\u003c/code\u003e). By sending a crafted memcached request with an extremely large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e value (e.g., \u003ccode\u003emath.MaxInt\u003c/code\u003e or \u003ccode\u003emath.MaxInt-1\u003c/code\u003e), an attacker can cause an integer overflow during payload length calculation. This overflow results in a negative payload length being passed to \u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e in \u003ccode\u003epkg/internal/largebuf/large_buffer.go\u003c/code\u003e, triggering a runtime panic and crashing the OBI process. This vulnerability affects OBI versions 0.7.0 to 0.8.x, allowing a remote attacker to disrupt telemetry collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OBI instance instrumenting memcached traffic.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a memcached storage command (e.g., \u003ccode\u003eset\u003c/code\u003e) with a large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e field (close to \u003ccode\u003emath.MaxInt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted memcached storage command to a service instrumented by the vulnerable OBI instance on port 11211.\u003c/li\u003e\n\u003cli\u003eOBI\u0026rsquo;s memcached request parser (\u003ccode\u003ememcachedCommandBytesField\u003c/code\u003e in \u003ccode\u003epkg/ebpf/common/memcached_detect_transform.go\u003c/code\u003e) receives the crafted command and parses the \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e field using \u003ccode\u003estrconv.Atoi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOBI calculates the payload length by adding the \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e value to the length of the trailing \u003ccode\u003e\\r\\n\u003c/code\u003e delimiter.\u003c/li\u003e\n\u003cli\u003eDue to the large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e value, the addition overflows, resulting in a negative \u003ccode\u003epayloadLen\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe negative \u003ccode\u003epayloadLen\u003c/code\u003e is passed to \u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e in \u003ccode\u003epkg/internal/largebuf/large_buffer.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e attempts to slice a buffer with the negative length, causing a Go runtime panic and crashing the OBI process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial of service (DoS) against the OBI process. This leads to a loss of telemetry data collection for any services being monitored by the affected OBI instance. The attacker only needs to send a crafted memcached storage command to a service that OBI is instrumenting. This vulnerability impacts OBI deployments where the memcached parser is active and the instrumented services are reachable or influenceable by an attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenTelemetry OBI Memcached Integer Overflow Attempt\u003c/code\u003e to detect crafted memcached storage commands with extremely large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e values in network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor OBI process logs and container status for crashes originating from \u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e, as indicated in the overview, to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider filtering or sanitizing memcached storage command inputs to prevent excessively large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e values from reaching instrumented services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T20:22:53Z","date_published":"2026-05-18T20:22:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-integer-overflow/","summary":"A remotely reachable integer overflow in OpenTelemetry eBPF Instrumentation's (OBI) memcached text protocol parser can crash the OBI process, causing a denial of service due to unchecked arithmetic when handling large payload sizes in memcached storage commands.","title":"OpenTelemetry eBPF Instrumentation (OBI) Memcached Integer Overflow DoS","url":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-integer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go.opentelemetry.io/obi"],"_cs_severities":["medium"],"_cs_tags":["opentelemetry","mongodb","denial-of-service","CVE-2026-45685"],"_cs_type":"threat","_cs_vendors":["OpenTelemetry"],"content_html":"\u003cp\u003eThe OpenTelemetry eBPF Instrumentation agent is susceptible to a denial-of-service vulnerability in its MongoDB protocol parser. This vulnerability, present in versions v0.1.0 through v0.8.0 of \u003ccode\u003ego.opentelemetry.io/obi\u003c/code\u003e, allows a remote, unauthenticated attacker to crash the telemetry agent by sending specially crafted MongoDB wire messages. The parser operates on raw attacker-controlled network payloads before full validation, leading to uncaught panics and process termination. A single malformed packet can halt telemetry collection, impacting observability. Patches addressing these panics were introduced in versions v0.4.0 and later, but the BSON type-assertion issue persists through v0.8.0. This vulnerability, assigned CVE-2026-45685, can disrupt telemetry collection in deployments that monitor traffic from untrusted or partially trusted MongoDB clients. The affected code paths are in \u003ccode\u003epkg/ebpf/common/mongo_detect_transform.go\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malformed MongoDB OP_MSG packet or BSON document.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted packet to the monitored MongoDB instance.\u003c/li\u003e\n\u003cli\u003eThe OpenTelemetry eBPF Instrumentation agent intercepts the MongoDB traffic.\u003c/li\u003e\n\u003cli\u003eThe agent\u0026rsquo;s \u003ccode\u003eparseOpMessage\u003c/code\u003e function attempts to read flag bits from the packet without proper bounds checking (versions v0.1.0-v0.3.0).\u003c/li\u003e\n\u003cli\u003eThe agent\u0026rsquo;s \u003ccode\u003eparseSections\u003c/code\u003e function attempts to read document-sequence length without proper bounds checking (versions v0.1.0-v0.3.0).\u003c/li\u003e\n\u003cli\u003eThe agent\u0026rsquo;s \u003ccode\u003eparseFirstField\u003c/code\u003e function performs an unchecked type assertion on BSON field values (versions v0.1.0-v0.8.0).\u003c/li\u003e\n\u003cli\u003eThe MongoDB parser encounters a slice-bounds panic or type assertion panic.\u003c/li\u003e\n\u003cli\u003eThe OpenTelemetry eBPF Instrumentation agent process terminates, leading to a denial of service and loss of telemetry data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial of service. An unauthenticated attacker can crash the OpenTelemetry eBPF Instrumentation agent by sending a crafted OP_MSG packet or malformed BSON document to a monitored MongoDB instance. This leads to a loss of observability until the agent process is restarted. This vulnerability impacts deployments that enable MongoDB parsing and process attacker-controlled or potentially malformed MongoDB traffic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ego.opentelemetry.io/obi\u003c/code\u003e package to version 0.9.0 or later to address the vulnerability described in CVE-2026-45685.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenTelemetry MongoDB Parser Denial-of-Service Attempt\u0026rdquo; to identify suspicious network traffic targeting MongoDB instances that could trigger this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for malformed MongoDB packets, specifically those with truncated OP_MSG packets or malformed BSON documents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T20:20:25Z","date_published":"2026-05-18T20:20:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-mongodb-dos/","summary":"Malformed MongoDB wire messages can trigger uncaught panics in the OpenTelemetry eBPF Instrumentation agent's MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service.","title":"OpenTelemetry eBPF Instrumentation MongoDB Parser Denial-of-Service","url":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-mongodb-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Go.opentelemetry.io/Obi","version":"https://jsonfeed.org/version/1.1"}