CVE-2026-45799: Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service

May 19, 2026

Wire’s protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException / ProtocolException failure path.

This can crash services that decode untrusted protobuf payloads and only handle Wire’s documented checked decoding failures.

References

github.com/advisories/GHSA-7xpr-hc2w-34m9
github.com/square/wire/pull/3595
github.com/square/wire/pull/3597
github.com/square/wire/security/advisories/GHSA-7xpr-hc2w-34m9
nvd.nist.gov/vuln/detail/CVE-2026-45799

Code Behaviors & Features

Detect and mitigate CVE-2026-45799 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →