Description
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek. This issue has been patched in version 0.9.0.
Published: 2026-06-02
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in the memcached text protocol parser of the OpenTelemetry eBPF instrumentation, which can be triggered by sending excessively large <bytes> values in storage commands such as set, add, replace, append, prepend, or cas. This overflow causes the computed payload length to wrap to a negative value, leading to a runtime panic in LargeBufferReader.Peek. The result is a crash of the OBI process, causing denial of service. The weakness is classified as integer overflow (CWE‑190).

Affected Systems

Affected are all installations of OpenTelemetry eBPF instrumentation between version 0.7.0 and any release prior to 0.9.0. The flaw is fixed starting with version 0.9.0.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity. No EPSS score is available, but the attack vector is remote and requires the ability to send memcached text protocol commands to the OBI instance. The vulnerability was not listed in the CISA KEV catalog. An attacker could send a crafted request containing a <bytes> value of the maximum 64‑bit integer or one less, causing a crash that results in denial of service until the service is restarted. The main risk is service interruption for the affected environment rather than data theft or privilege escalation.

Generated by OpenCVE AI on June 2, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenTelemetry eBPF instrumentation to version 0.9.0 or later to apply the integer overflow fix.
  • If upgrading is not immediately possible, block or quarantine the memcached interface to the OBI instance from untrusted hosts to prevent malicious payloads.
  • Configure monitoring and alerts to detect crashes or panic logs from the OBI service and to trigger rapid remediation actions.

Generated by OpenCVE AI on June 2, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-43g7-cwr8-q3jh OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI
History

Tue, 02 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-ebpf-instrumentation

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek. This issue has been patched in version 0.9.0.
Title OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry-ebpf-instrumentation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:25:55.764Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45686

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-02T16:16:43.493

Modified: 2026-06-02T17:14:05.363

Link: CVE-2026-45686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:45:13Z

Weaknesses