GHSA-j8p6-96vp-f3r9: OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages
Summary
Malformed MongoDB wire messages can crash the OpenTelemetry eBPF Instrumentation telemetry agent through uncaught panics in its MongoDB parser, allowing remote attackers to cause denial of service. The parser checks attacker-controlled network data without fully validating it first, so a single crafted message can stop telemetry collection until the agent restarts.
Solution / Mitigation
The bounds-check panics affecting versions v0.1.0 through v0.3.0 were fixed by commit `3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb` (`Fix MongoDB client panic`), which first appears in release `v0.4.0`. However, the unchecked BSON type assertion panic affecting versions v0.1.0 through v0.8.0 remains unfixed as of the advisory date.
Vulnerability Details
EPSS: 0.0%
Yes
May 18, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-j8p6-96vp-f3r9
First tracked: May 18, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%