A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.
{
"cwe_ids": [
"CWE-20"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6409.json",
"cna_assigner": "Google"
}[
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"293587433391502417172988884473184163216",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-028d96fb",
"target": {
"file": "src/google/protobuf/wrappers.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/6e1998413a5bca7c058b85999667893f167434bc",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"333170449206135040106821312145359843255",
"280015746586202993717428809723835945131",
"33629295250416755498067831215155967102",
"215908973485308819892957006685588128161"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-0464d8d8",
"target": {
"file": "java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"242044830337533364415036252816020343776",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-050cb0eb",
"target": {
"file": "src/google/protobuf/api.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"308740214268374788873652203696633162152",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-17aa41eb",
"target": {
"file": "src/google/protobuf/timestamp.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"98733759163156666860414000799353510873",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-17d65a8a",
"target": {
"file": "src/google/protobuf/field_mask.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"135065695527964093886488623779684532153",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-211de60c",
"target": {
"file": "src/google/protobuf/empty.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"111393161344815088188651509583831737488",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-23abedc3",
"target": {
"file": "src/google/protobuf/struct.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"239274286640701806485802098800052541016",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-2698561b",
"target": {
"file": "src/google/protobuf/duration.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"105566796257300201076777150700032360669",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-30136eeb",
"target": {
"file": "src/google/protobuf/any.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"197705528284598073415371824521333691909",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-72919372",
"target": {
"file": "src/google/protobuf/cpp_features.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"20810329268721340310766549515082347273",
"329995525058581828883932521799122571978",
"283206227101758475225173215830832117357",
"215908973485308819892957006685588128161"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-820fe68a",
"target": {
"file": "java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"278684249155769608502554103167593690099",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-92cbbc4c",
"target": {
"file": "src/google/protobuf/compiler/plugin.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"124657712507254369188846260870108919885",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-94a3f3c8",
"target": {
"file": "src/google/protobuf/source_context.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"140029083026550160416652785551918370363",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-9a32db23",
"target": {
"file": "src/google/protobuf/compiler/java/java_features.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"3225823212780723886126869657009806110",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-add9e9cf",
"target": {
"file": "src/google/protobuf/descriptor.pb.h"
}
},
{
"source": "https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"39824730187551357074663387166503072673",
"283805727036866803825225166658158933342",
"238210429121914992134384152134703349305",
"76302580530912882639147250337661808496",
"128900572252551353919169131760864236249"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-6409-e93c9ac5",
"target": {
"file": "src/google/protobuf/type.pb.h"
}
}
]
"2026-07-17T19:05:52Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6409.json"