{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45685/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go.opentelemetry.io/obi"],"_cs_severities":["medium"],"_cs_tags":["opentelemetry","mongodb","denial-of-service","CVE-2026-45685"],"_cs_type":"threat","_cs_vendors":["OpenTelemetry"],"content_html":"\u003cp\u003eThe OpenTelemetry eBPF Instrumentation agent is susceptible to a denial-of-service vulnerability in its MongoDB protocol parser. This vulnerability, present in versions v0.1.0 through v0.8.0 of \u003ccode\u003ego.opentelemetry.io/obi\u003c/code\u003e, allows a remote, unauthenticated attacker to crash the telemetry agent by sending specially crafted MongoDB wire messages. The parser operates on raw attacker-controlled network payloads before full validation, leading to uncaught panics and process termination. A single malformed packet can halt telemetry collection, impacting observability. Patches addressing these panics were introduced in versions v0.4.0 and later, but the BSON type-assertion issue persists through v0.8.0. This vulnerability, assigned CVE-2026-45685, can disrupt telemetry collection in deployments that monitor traffic from untrusted or partially trusted MongoDB clients. The affected code paths are in \u003ccode\u003epkg/ebpf/common/mongo_detect_transform.go\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malformed MongoDB OP_MSG packet or BSON document.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted packet to the monitored MongoDB instance.\u003c/li\u003e\n\u003cli\u003eThe OpenTelemetry eBPF Instrumentation agent intercepts the MongoDB traffic.\u003c/li\u003e\n\u003cli\u003eThe agent\u0026rsquo;s \u003ccode\u003eparseOpMessage\u003c/code\u003e function attempts to read flag bits from the packet without proper bounds checking (versions v0.1.0-v0.3.0).\u003c/li\u003e\n\u003cli\u003eThe agent\u0026rsquo;s \u003ccode\u003eparseSections\u003c/code\u003e function attempts to read document-sequence length without proper bounds checking (versions v0.1.0-v0.3.0).\u003c/li\u003e\n\u003cli\u003eThe agent\u0026rsquo;s \u003ccode\u003eparseFirstField\u003c/code\u003e function performs an unchecked type assertion on BSON field values (versions v0.1.0-v0.8.0).\u003c/li\u003e\n\u003cli\u003eThe MongoDB parser encounters a slice-bounds panic or type assertion panic.\u003c/li\u003e\n\u003cli\u003eThe OpenTelemetry eBPF Instrumentation agent process terminates, leading to a denial of service and loss of telemetry data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial of service. An unauthenticated attacker can crash the OpenTelemetry eBPF Instrumentation agent by sending a crafted OP_MSG packet or malformed BSON document to a monitored MongoDB instance. This leads to a loss of observability until the agent process is restarted. This vulnerability impacts deployments that enable MongoDB parsing and process attacker-controlled or potentially malformed MongoDB traffic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ego.opentelemetry.io/obi\u003c/code\u003e package to version 0.9.0 or later to address the vulnerability described in CVE-2026-45685.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenTelemetry MongoDB Parser Denial-of-Service Attempt\u0026rdquo; to identify suspicious network traffic targeting MongoDB instances that could trigger this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for malformed MongoDB packets, specifically those with truncated OP_MSG packets or malformed BSON documents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T20:20:25Z","date_published":"2026-05-18T20:20:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-mongodb-dos/","summary":"Malformed MongoDB wire messages can trigger uncaught panics in the OpenTelemetry eBPF Instrumentation agent's MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service.","title":"OpenTelemetry eBPF Instrumentation MongoDB Parser Denial-of-Service","url":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-mongodb-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-45685","version":"https://jsonfeed.org/version/1.1"}