{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/memcached/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["go.opentelemetry.io/obi"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","integer-overflow","memcached","opentelemetry"],"_cs_type":"advisory","_cs_vendors":["opentelemetry"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the memcached text protocol parser within OpenTelemetry eBPF Instrumentation (OBI). The vulnerability resides in the \u003ccode\u003epkg/ebpf/common/memcached_detect_transform.go\u003c/code\u003e file, where the parser lacks proper bounds checking when handling the \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e field of memcached storage commands (\u003ccode\u003eset\u003c/code\u003e, \u003ccode\u003eadd\u003c/code\u003e, \u003ccode\u003ereplace\u003c/code\u003e, \u003ccode\u003eappend\u003c/code\u003e, \u003ccode\u003eprepend\u003c/code\u003e, \u003ccode\u003ecas\u003c/code\u003e). By sending a crafted memcached request with an extremely large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e value (e.g., \u003ccode\u003emath.MaxInt\u003c/code\u003e or \u003ccode\u003emath.MaxInt-1\u003c/code\u003e), an attacker can cause an integer overflow during payload length calculation. This overflow results in a negative payload length being passed to \u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e in \u003ccode\u003epkg/internal/largebuf/large_buffer.go\u003c/code\u003e, triggering a runtime panic and crashing the OBI process. This vulnerability affects OBI versions 0.7.0 to 0.8.x, allowing a remote attacker to disrupt telemetry collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OBI instance instrumenting memcached traffic.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a memcached storage command (e.g., \u003ccode\u003eset\u003c/code\u003e) with a large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e field (close to \u003ccode\u003emath.MaxInt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted memcached storage command to a service instrumented by the vulnerable OBI instance on port 11211.\u003c/li\u003e\n\u003cli\u003eOBI\u0026rsquo;s memcached request parser (\u003ccode\u003ememcachedCommandBytesField\u003c/code\u003e in \u003ccode\u003epkg/ebpf/common/memcached_detect_transform.go\u003c/code\u003e) receives the crafted command and parses the \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e field using \u003ccode\u003estrconv.Atoi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOBI calculates the payload length by adding the \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e value to the length of the trailing \u003ccode\u003e\\r\\n\u003c/code\u003e delimiter.\u003c/li\u003e\n\u003cli\u003eDue to the large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e value, the addition overflows, resulting in a negative \u003ccode\u003epayloadLen\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe negative \u003ccode\u003epayloadLen\u003c/code\u003e is passed to \u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e in \u003ccode\u003epkg/internal/largebuf/large_buffer.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e attempts to slice a buffer with the negative length, causing a Go runtime panic and crashing the OBI process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial of service (DoS) against the OBI process. This leads to a loss of telemetry data collection for any services being monitored by the affected OBI instance. The attacker only needs to send a crafted memcached storage command to a service that OBI is instrumenting. This vulnerability impacts OBI deployments where the memcached parser is active and the instrumented services are reachable or influenceable by an attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenTelemetry OBI Memcached Integer Overflow Attempt\u003c/code\u003e to detect crafted memcached storage commands with extremely large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e values in network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor OBI process logs and container status for crashes originating from \u003ccode\u003eLargeBufferReader.Peek\u003c/code\u003e, as indicated in the overview, to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider filtering or sanitizing memcached storage command inputs to prevent excessively large \u003ccode\u003e\u0026lt;bytes\u0026gt;\u003c/code\u003e values from reaching instrumented services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T20:22:53Z","date_published":"2026-05-18T20:22:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-integer-overflow/","summary":"A remotely reachable integer overflow in OpenTelemetry eBPF Instrumentation's (OBI) memcached text protocol parser can crash the OBI process, causing a denial of service due to unchecked arithmetic when handling large payload sizes in memcached storage commands.","title":"OpenTelemetry eBPF Instrumentation (OBI) Memcached Integer Overflow DoS","url":"https://feed.craftedsignal.io/briefs/2026-05-opentelemetry-integer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Memcached","version":"https://jsonfeed.org/version/1.1"}