CVE-2026-45686: OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI

May 18, 2026 (updated June 9, 2026)

A remotely reachable integer overflow in OBI’s memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek.

References

github.com/advisories/GHSA-43g7-cwr8-q3jh
github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0
github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-43g7-cwr8-q3jh
nvd.nist.gov/vuln/detail/CVE-2026-45686

Code Behaviors & Features

Detect and mitigate CVE-2026-45686 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →