HIGHCVE-2026-6409Published Modified CNA Google
CVE-2026-6409: Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 4.33.6
- Affected Products
- 1
Fix available
4.33.65.34.0-RC1
Affected packages
- Protocol Buffers / Protobuf-php (Pecl)< 5.34.0-RC1 (from 0) · < 4.33.6 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences