CVE-2026-6409

Source
https://cve.org/CVERecord?id=CVE-2026-6409
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6409.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-6409
Aliases
Downstream
Published
2026-04-16T14:30:51.568Z
Modified
2026-07-17T19:05:52.739799Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input
Details

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Database specific
{
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6409.json",
    "cna_assigner": "Google"
}
References

Affected packages

Git / github.com/protocolbuffers/protobuf

Affected ranges

Type
GIT
Repo
https://github.com/protocolbuffers/protobuf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.34.0-RC1"
        },
        {
            "fixed": "4.33.6"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

rust-prerelease-4.*
rust-prerelease-4.30.0-beta1
rust-prerelease-4.31.0-beta1
v2.*
v2.6.0
v2.6.1rc1
Other
v26-dev
v27-dev
v28-dev
v29-dev
v30-dev
v31-dev
v32-dev
v33-dev
v3.*
v3.0.0-alpha-3
v3.0.0-alpha-4
v3.0.0-beta-1
v3.0.0-beta-1-bzl-fix
v3.0.0-beta-2
v3.0.0-beta-3-pre-1
v3.12.3
v3.20.0-rc2
v33.*
v33.0-rc1
v4.*
v4.33.0-rc1-objectivec

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "293587433391502417172988884473184163216",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-028d96fb",
        "target": {
            "file": "src/google/protobuf/wrappers.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/6e1998413a5bca7c058b85999667893f167434bc",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "333170449206135040106821312145359843255",
                "280015746586202993717428809723835945131",
                "33629295250416755498067831215155967102",
                "215908973485308819892957006685588128161"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-0464d8d8",
        "target": {
            "file": "java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "242044830337533364415036252816020343776",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-050cb0eb",
        "target": {
            "file": "src/google/protobuf/api.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "308740214268374788873652203696633162152",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-17aa41eb",
        "target": {
            "file": "src/google/protobuf/timestamp.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "98733759163156666860414000799353510873",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-17d65a8a",
        "target": {
            "file": "src/google/protobuf/field_mask.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "135065695527964093886488623779684532153",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-211de60c",
        "target": {
            "file": "src/google/protobuf/empty.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "111393161344815088188651509583831737488",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-23abedc3",
        "target": {
            "file": "src/google/protobuf/struct.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "239274286640701806485802098800052541016",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-2698561b",
        "target": {
            "file": "src/google/protobuf/duration.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "105566796257300201076777150700032360669",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-30136eeb",
        "target": {
            "file": "src/google/protobuf/any.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "197705528284598073415371824521333691909",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-72919372",
        "target": {
            "file": "src/google/protobuf/cpp_features.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "20810329268721340310766549515082347273",
                "329995525058581828883932521799122571978",
                "283206227101758475225173215830832117357",
                "215908973485308819892957006685588128161"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-820fe68a",
        "target": {
            "file": "java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "278684249155769608502554103167593690099",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-92cbbc4c",
        "target": {
            "file": "src/google/protobuf/compiler/plugin.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "124657712507254369188846260870108919885",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-94a3f3c8",
        "target": {
            "file": "src/google/protobuf/source_context.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "140029083026550160416652785551918370363",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-9a32db23",
        "target": {
            "file": "src/google/protobuf/compiler/java/java_features.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "3225823212780723886126869657009806110",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-add9e9cf",
        "target": {
            "file": "src/google/protobuf/descriptor.pb.h"
        }
    },
    {
        "source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "39824730187551357074663387166503072673",
                "283805727036866803825225166658158933342",
                "238210429121914992134384152134703349305",
                "76302580530912882639147250337661808496",
                "128900572252551353919169131760864236249"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2026-6409-e93c9ac5",
        "target": {
            "file": "src/google/protobuf/type.pb.h"
        }
    }
]
vanir_signatures_modified
"2026-07-17T19:05:52Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6409.json"