{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45678/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go/go.opentelemetry.io/obi (\u003c 0.9.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","postgres","ebpf","CVE-2026-45678"],"_cs_type":"advisory","_cs_vendors":["opentelemetry"],"content_html":"\u003cp\u003eThe OpenTelemetry eBPF Instrumentation (OBI) is vulnerable to a denial-of-service attack due to improper handling of malformed Postgres BIND messages. The vulnerability, identified as CVE-2026-45678, resides in the Postgres protocol parser within OBI\u0026rsquo;s eBPF component. Specifically, the parser incorrectly assumes that BIND message payloads contain a valid NUL-terminated portal name. By sending a crafted BIND message with either an empty payload or a payload lacking the NUL terminator, an attacker can cause the parser to read beyond the bounds of the buffer, triggering a runtime panic. This panic results in the OBI agent crashing, disrupting telemetry collection for the affected node or process. The issue affects OBI versions prior to 0.9.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target system running OBI monitoring a Postgres database.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malformed Postgres BIND message. This message either contains an empty payload or lacks the expected NUL terminator after the portal name.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted BIND message to the Postgres database server being monitored.\u003c/li\u003e\n\u003cli\u003eOBI intercepts the network traffic using eBPF and captures the malformed BIND message.\u003c/li\u003e\n\u003cli\u003eThe OBI Postgres protocol parser attempts to process the BIND message payload in \u003ccode\u003epkg/ebpf/common/sql_detect_postgres.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the missing NUL terminator or empty payload, the \u003ccode\u003eportalLen\u003c/code\u003e calculation results in a value exceeding the buffer\u0026rsquo;s boundaries.\u003c/li\u003e\n\u003cli\u003eThe subsequent slice operation \u003ccode\u003emsg.data[portalLen:]\u003c/code\u003e triggers a \u0026ldquo;slice bounds out of range\u0026rdquo; runtime panic.\u003c/li\u003e\n\u003cli\u003eThe OBI agent crashes, halting telemetry collection from the monitored system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, specifically impacting the availability of telemetry data. An attacker can repeatedly send malformed Postgres BIND messages to crash the OBI agent, effectively blinding monitoring systems and preventing the detection of other potential security incidents. This vulnerability primarily affects organizations using OBI for monitoring Postgres databases. The impact is a loss of visibility into database performance and security, potentially leading to delayed incident response and increased risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenTelemetry eBPF Instrumentation version 0.9.0 or later to patch CVE-2026-45678.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OBI Postgres Parser Panic Attempt\u0026rdquo; to identify attempts to exploit CVE-2026-45678 by detecting malformed Postgres BIND messages.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected patterns of malformed Postgres BIND messages indicative of exploitation attempts, and correlate with OBI agent crashes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:58:21Z","date_published":"2026-05-18T17:58:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-otel-postgres-panic/","summary":"The OpenTelemetry eBPF Instrumentation (OBI) Postgres protocol parser is vulnerable to a remote availability issue — when processing BIND messages, the parser assumes payloads contain a valid NUL-terminated portal name; a crafted empty or unterminated payload can cause OBI to slice beyond the end of the captured buffer, triggering a runtime panic and crashing the agent.","title":"OpenTelemetry eBPF Instrumentation Postgres Parser Vulnerable to Panic via Malformed BIND Payloads (CVE-2026-45678)","url":"https://feed.craftedsignal.io/briefs/2026-05-otel-postgres-panic/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-45678","version":"https://jsonfeed.org/version/1.1"}