AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-pgvv-q3wf-mm9m: OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads

highvulnerability

security

Source: GitHub Advisory DatabaseMay 18, 2026CVE-2026-45678

Summary

OpenTelemetry eBPF Instrumentation (OBI) has a vulnerability in its Postgres protocol parser that can crash when it receives a malformed BIND message (a type of Postgres network packet). The parser doesn't check if the message payload is complete before reading from it, so an attacker could send a specially crafted empty or truncated packet to cause the program to panic and stop collecting telemetry data.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 18, 2026

Classification

Attack SophisticationTrivial

Affected Packages

go.opentelemetry.io/obi@< 0.9.0 (fixed: 0.9.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-pgvv-q3wf-mm9m

First tracked: May 18, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%