CVE-2026-55407

Source
https://cve.org/CVERecord?id=CVE-2026-55407
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55407.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55407
Aliases
  • GHSA-f9qc-qg88-7pq5
Published
2026-07-16T15:57:31.704Z
Modified
2026-07-18T03:47:38.961406173Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Buffa: Memory Exhaustion Denial of Service in decode_unknown_field via Unbounded Allocation
Details

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decodeunknownfield function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserveunknownfields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.

Database specific
{
    "cwe_ids": [
        "CWE-400",
        "CWE-770",
        "CWE-789"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55407.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/anthropics/buffa

Affected ranges

Type
GIT
Repo
https://github.com/anthropics/buffa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1.0
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.7.0
v0.7.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55407.json"