https://feed.craftedsignal.io/products/go.opentelemetry.io/obi/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 18 May 2026 20:22:53 +0000https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-integer-overflow/Mon, 18 May 2026 20:22:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-opentelemetry-integer-overflow/A remotely reachable integer overflow in OpenTelemetry eBPF Instrumentation's (OBI) memcached text protocol parser can crash the OBI process, causing a denial of service due to unchecked arithmetic when handling large payload sizes in memcached storage commands.A denial-of-service vulnerability exists in the memcached text protocol parser within OpenTelemetry eBPF Instrumentation (OBI). The vulnerability resides in the pkg/ebpf/common/memcached_detect_transform.go file, where the parser lacks proper bounds checking when handling the <bytes> field of memcached storage commands (set, add, replace, append, prepend, cas). By sending a crafted memcached request with an extremely large <bytes> value (e.g., math.MaxInt or math.MaxInt-1), an attacker can cause an integer overflow during payload length calculation. This overflow results in a negative payload length being passed to LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go, triggering a runtime panic and crashing the OBI process. This vulnerability affects OBI versions 0.7.0 to 0.8.x, allowing a remote attacker to disrupt telemetry collection.

Attack Chain

1. Attacker identifies an OBI instance instrumenting memcached traffic.
2. Attacker crafts a memcached storage command (e.g., set) with a large <bytes> field (close to math.MaxInt).
3. Attacker sends the crafted memcached storage command to a service instrumented by the vulnerable OBI instance on port 11211.
4. OBI’s memcached request parser (memcachedCommandBytesField in pkg/ebpf/common/memcached_detect_transform.go) receives the crafted command and parses the <bytes> field using strconv.Atoi.
5. OBI calculates the payload length by adding the <bytes> value to the length of the trailing \r\n delimiter.
6. Due to the large <bytes> value, the addition overflows, resulting in a negative payloadLen.
7. The negative payloadLen is passed to LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go.
8. LargeBufferReader.Peek attempts to slice a buffer with the negative length, causing a Go runtime panic and crashing the OBI process.

Impact

Successful exploitation of this vulnerability results in a denial of service (DoS) against the OBI process. This leads to a loss of telemetry data collection for any services being monitored by the affected OBI instance. The attacker only needs to send a crafted memcached storage command to a service that OBI is instrumenting. This vulnerability impacts OBI deployments where the memcached parser is active and the instrumented services are reachable or influenceable by an attacker.

Recommendation

• Deploy the Sigma rule Detect OpenTelemetry OBI Memcached Integer Overflow Attempt to detect crafted memcached storage commands with extremely large <bytes> values in network traffic.
• Monitor OBI process logs and container status for crashes originating from LargeBufferReader.Peek, as indicated in the overview, to identify potential exploitation attempts.
• Consider filtering or sanitizing memcached storage command inputs to prevent excessively large <bytes> values from reaching instrumented services.

]]>mediumadvisorydenial-of-serviceinteger-overflowmemcachedopentelemetryhttps://feed.craftedsignal.io/briefs/2026-05-opentelemetry-mongodb-dos/Mon, 18 May 2026 20:20:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-opentelemetry-mongodb-dos/Malformed MongoDB wire messages can trigger uncaught panics in the OpenTelemetry eBPF Instrumentation agent's MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service.The OpenTelemetry eBPF Instrumentation agent is susceptible to a denial-of-service vulnerability in its MongoDB protocol parser. This vulnerability, present in versions v0.1.0 through v0.8.0 of go.opentelemetry.io/obi, allows a remote, unauthenticated attacker to crash the telemetry agent by sending specially crafted MongoDB wire messages. The parser operates on raw attacker-controlled network payloads before full validation, leading to uncaught panics and process termination. A single malformed packet can halt telemetry collection, impacting observability. Patches addressing these panics were introduced in versions v0.4.0 and later, but the BSON type-assertion issue persists through v0.8.0. This vulnerability, assigned CVE-2026-45685, can disrupt telemetry collection in deployments that monitor traffic from untrusted or partially trusted MongoDB clients. The affected code paths are in pkg/ebpf/common/mongo_detect_transform.go.

Attack Chain

1. Attacker crafts a malformed MongoDB OP_MSG packet or BSON document.
2. Attacker sends the crafted packet to the monitored MongoDB instance.
3. The OpenTelemetry eBPF Instrumentation agent intercepts the MongoDB traffic.
4. The agent’s parseOpMessage function attempts to read flag bits from the packet without proper bounds checking (versions v0.1.0-v0.3.0).
5. The agent’s parseSections function attempts to read document-sequence length without proper bounds checking (versions v0.1.0-v0.3.0).
6. The agent’s parseFirstField function performs an unchecked type assertion on BSON field values (versions v0.1.0-v0.8.0).
7. The MongoDB parser encounters a slice-bounds panic or type assertion panic.
8. The OpenTelemetry eBPF Instrumentation agent process terminates, leading to a denial of service and loss of telemetry data.

Impact

Successful exploitation of this vulnerability results in a denial of service. An unauthenticated attacker can crash the OpenTelemetry eBPF Instrumentation agent by sending a crafted OP_MSG packet or malformed BSON document to a monitored MongoDB instance. This leads to a loss of observability until the agent process is restarted. This vulnerability impacts deployments that enable MongoDB parsing and process attacker-controlled or potentially malformed MongoDB traffic.

Recommendation

• Upgrade the go.opentelemetry.io/obi package to version 0.9.0 or later to address the vulnerability described in CVE-2026-45685.
• Deploy the Sigma rule “Detect OpenTelemetry MongoDB Parser Denial-of-Service Attempt” to identify suspicious network traffic targeting MongoDB instances that could trigger this vulnerability.
• Monitor network traffic for malformed MongoDB packets, specifically those with truncated OP_MSG packets or malformed BSON documents.

]]>mediumthreatopentelemetrymongodbdenial-of-serviceCVE-2026-45685