CVE-2026-6409 | THREATINT

Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-16 | Updated 2026-04-16 | Assigner Google

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-20 Improper input validation

Product status

Default status

unaffected

Any version before 5.34.0-RC1

affected

Any version before 4.33.6

affected

Credits

https://github.com/34selen finder

References

github.com/...otobuf/security/advisories/GHSA-p2gh-cfq4-4wjc

cve.org (CVE-2026-6409)

nvd.nist.gov (CVE-2026-6409)

Download JSON