{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6409", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2026-04-15T21:56:37.963Z", "datePublished": "2026-04-16T14:30:51.568Z", "dateUpdated": "2026-04-16T15:24:43.164Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2026-04-16T14:30:51.568Z"}, "title": "Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper input validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "affected": [{"vendor": "Protocol Buffers", "product": "Protobuf-php (Pecl)", "versions": [{"status": "affected", "version": "0", "lessThan": "5.34.0-RC1", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "4.33.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages\u2014specifically those containing negative\u00a0varints or deep recursion\u2014can be used to crash the application, impacting service availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages\u2014specifically those containing negative&nbsp;<code>varint</code>s or deep recursion\u2014can be used to crash the application, impacting service availability."}]}], "references": [{"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "https://github.com/34selen", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T15:23:55.455444Z", "id": "CVE-2026-6409", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:24:43.164Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T15:23:55.455444Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:24:31.568Z"}}], "cna": {"title": "Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "https://github.com/34selen"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Protocol Buffers", "product": "Protobuf-php (Pecl)", "versions": [{"status": "affected", "version": "0", "lessThan": "5.34.0-RC1", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "4.33.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages\u2014specifically those containing negative\u00a0varints or deep recursion\u2014can be used to crash the application, impacting service availability.", "supportingMedia": [{"type": "text/html", "value": "A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages\u2014specifically those containing negative&nbsp;<code>varint</code>s or deep recursion\u2014can be used to crash the application, impacting service availability.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper input validation"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2026-04-16T14:30:51.568Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6409", "state": "PUBLISHED", "dateUpdated": "2026-04-16T15:24:43.164Z", "dateReserved": "2026-04-15T21:56:37.963Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2026-04-16T14:30:51.568Z", "assignerShortName": "Google"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages\u2014specifically those containing negative\u00a0varints or deep recursion\u2014can be used to crash the application, impacting service availability."}], "id": "CVE-2026-6409", "lastModified": "2026-04-17T15:17:00.957", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2026-04-16T15:17:41.910", "references": [{"source": "cve-coordination@google.com", "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.34.0-RC1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.33.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Protobuf-php (Pecl)", "source": "cna", "vendor": "Protocol Buffers"}, "product": "protobuf-php", "vendor": "protocol_buffers"}], "analysis": {"en": {"generated_at": "2026-04-17T03:23:51.553356+00:00", "value": {"mitigation_remediation": ["Install the latest release of the Protobuf PHP library that contains the patch for this denial\u2011of\u2011service flaw", "Verify and restrict protobuf input before it reaches the parser\u2014enforce size limits, detect negative varints, and reject messages that could cause deep recursion", "Limit access to services that use the library so that only trusted or authenticated clients can send protobuf requests"], "summary": {"action": "Update Library", "impact": "Denial of Service (remote application crash)"}, "threat_synthesis": {"affected_systems": "Any PHP application that depends on the Protobuf PHP package distributed via PECL is potentially impacted. Versions of the library released before the publicly documented fix are considered vulnerable. The vulnerability does not target the PHP language itself, but the library that imports and decodes external protobuf messages.", "description_and_impact": "The flaw lies in the Protobuf PHP library\u2019s parsing routine for untrusted data. Messages that embed negative varints or trigger deep recursion force the parser logic to misbehave, causing a crash of the application or service that processes the data. Because the crash is unconditional, the attacker can repeatedly induce downtime by sending these crafted messages. This weakness is an input validation flaw, and it enables an attacker to compromise system availability for any application that relies on that library.", "risk_and_exploitability": "The assigned CVSS score of 7.1 calls out a high severity level for availability impact. No proven exploits have appeared in public advisories, and the vulnerability is not in the current known exploited vulnerability list, indicating limited evidence of widespread exploitation. An attacker can exploit the weakness by sending a maliciously constructed protobuf payload to any exposed endpoint or service that invokes the parser, leading to an application crash and forcing a restart or downtime."}}}}, "created": "2026-04-16T18:58:27.196047+00:00", "updated": "2026-04-17T03:30:08.591067+00:00", "vendors": ["protocol_buffers", "protocol_buffers$PRODUCT$protobuf-php"]}