CVE-2026-6409
EPSS 0.03%Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion
Published: 3/25/2026Modified: 4/28/2026
Description
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.
Affected packages (2)
- Debian/protobuffrom 0
- Packagist/google/protobuffrom 0, < 4.33.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-6409
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-6409
- PATCHhttps://github.com/protocolbuffers/protobuf
- WEBhttps://github.com/protocolbuffers/protobuf/commit/60e93d2d104f2af9cd345b1c6f3891d91430244a
- WEBhttps://github.com/protocolbuffers/protobuf/commit/c8e9b27d95c6ab2d0668b5889e7dac2c477b7038
- WEBhttps://github.com/protocolbuffers/protobuf/issues/24159
- WEBhttps://github.com/protocolbuffers/protobuf/issues/25067
- WEBhttps://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc