The vulnerability resides in the MongoDB TCP parser of OpenTelemetry eBPF Instrumentation, where malformed MongoDB wire messages are parsed without proper validation before any input checks are performed. This missing safeguard leads to an uncaught panic that terminates the telemetry agent process. The failure results in an unavailability of telemetry collection for the affected node, effectively creating a denial‑of‑service condition for any monitoring and observability functions that rely on that agent. This weakness is identified by CWEs 20, 248, and 704, indicating classic input‑validation, unchecked operations, and type‑confusion errors.

Systems running OpenTelemetry eBPF Instrumentation between versions 0.1.0 and prior to 0.9.0 are affected. The agent process that performs MongoDB traffic tracing can be crashed by any remote source that can send arbitrary MongoDB wire messages to the telemetry service.

The CVSS score of 7.5 reflects a high severity requiring prompt attention. Although an EPSS score is not available, the vulnerability can be exploited remotely from an unauthenticated source simply by crafting a malicious message over the network. Because the agent interprets raw network data without prior validation, a single crafted packet is sufficient to bring down the process, making the attack straightforward. The vulnerability is not listed in the CISA KEV catalog, but the impact remains significant for observability and monitoring workloads.