CVE-2026-6409: Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion
(updated )
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.
References
- github.com/advisories/GHSA-p2gh-cfq4-4wjc
- github.com/protocolbuffers/protobuf
- github.com/protocolbuffers/protobuf/commit/60e93d2d104f2af9cd345b1c6f3891d91430244a
- github.com/protocolbuffers/protobuf/commit/c8e9b27d95c6ab2d0668b5889e7dac2c477b7038
- github.com/protocolbuffers/protobuf/issues/24159
- github.com/protocolbuffers/protobuf/issues/25067
- github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc
- nvd.nist.gov/vuln/detail/CVE-2026-6409
Code Behaviors & Features
Detect and mitigate CVE-2026-6409 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →