{"data":{"id":"0c34b2ed-19b4-435b-98e7-fc4897576c25","title":"GHSA-j8p6-96vp-f3r9: OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages","summary":"Malformed MongoDB wire messages can crash the OpenTelemetry eBPF Instrumentation telemetry agent through uncaught panics in its MongoDB parser, allowing remote attackers to cause denial of service. The parser checks attacker-controlled network data without fully validating it first, so a single crafted message can stop telemetry collection until the agent restarts.","solution":"The bounds-check panics affecting versions v0.1.0 through v0.3.0 were fixed by commit `3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb` (`Fix MongoDB client panic`), which first appears in release `v0.4.0`. However, the unchecked BSON type assertion panic affecting versions v0.1.0 through v0.8.0 remains unfixed as of the advisory date.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-j8p6-96vp-f3r9","publishedAt":"2026-05-18T20:20:03.000Z","cveId":"CVE-2026-45685","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["go.opentelemetry.io/obi@< 0.9.0 (fixed: 0.9.0)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-18T20:20:03.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}