UBUNTU-CVE-2024-7254

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2024-7254
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-7254.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-7254
Upstream
Downstream
Related
Published
2024-09-19T01:15:00Z
Modified
2025-08-01T05:02:10Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

References

Affected packages

Ubuntu:Pro:14.04:LTS / protobuf

Package

Name
protobuf
Purl
pkg:deb/ubuntu/protobuf@2.5.0-9ubuntu1+esm1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.1-3ubuntu2
2.4.1-3ubuntu3
2.4.1-3ubuntu4
2.5.0-5ubuntu2
2.5.0-7ubuntu1
2.5.0-8ubuntu1
2.5.0-9ubuntu1
2.5.0-9ubuntu1+esm1

Ubuntu:Pro:16.04:LTS / protobuf

Package

Name
protobuf
Purl
pkg:deb/ubuntu/protobuf@2.6.1-1.3ubuntu0.1~esm2?arch=source&distro=esm-infra/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6.1-1.2
2.6.1-1.3
2.6.1-1.3ubuntu0.1~esm1
2.6.1-1.3ubuntu0.1~esm2

Ubuntu:Pro:18.04:LTS / protobuf

Package

Name
protobuf
Purl
pkg:deb/ubuntu/protobuf@3.0.0-9.1ubuntu1.1?arch=source&distro=esm-infra/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0-9ubuntu5
3.0.0-9ubuntu6
3.0.0-9.1ubuntu1
3.0.0-9.1ubuntu1.1

Ubuntu:Pro:20.04:LTS / protobuf

Package

Name
protobuf
Purl
pkg:deb/ubuntu/protobuf@3.6.1.3-2ubuntu5.2?arch=source&distro=esm-infra/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.6.1.3-2
3.6.1.3-2ubuntu1
3.6.1.3-2ubuntu3
3.6.1.3-2ubuntu4
3.6.1.3-2ubuntu5
3.6.1.3-2ubuntu5.2

Ubuntu:22.04:LTS / protobuf

Package

Name
protobuf
Purl
pkg:deb/ubuntu/protobuf@3.12.4-1ubuntu7.22.04.2?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.12.4-1ubuntu7.22.04.2

Affected versions

3.*

3.12.4-1ubuntu3
3.12.4-1ubuntu5
3.12.4-1ubuntu6
3.12.4-1ubuntu7
3.12.4-1ubuntu7.22.04.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "elpa-protobuf-mode",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotobuf-dev",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotobuf-java",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotobuf-lite23",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotobuf-lite23-dbgsym",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotobuf23",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotobuf23-dbgsym",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotoc-dev",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotoc23",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "libprotoc23-dbgsym",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "protobuf-compiler",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "protobuf-compiler-dbgsym",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "python3-protobuf",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "python3-protobuf-dbgsym",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "ruby-google-protobuf",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        },
        {
            "binary_name": "ruby-google-protobuf-dbgsym",
            "binary_version": "3.12.4-1ubuntu7.22.04.2"
        }
    ],
    "availability": "No subscription required"
}

Ubuntu:24.04:LTS / protobuf

Package

Name
protobuf
Purl
pkg:deb/ubuntu/protobuf@3.21.12-8.2ubuntu0.1?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.21.12-8.2ubuntu0.1

Affected versions

3.*

3.21.12-7ubuntu1
3.21.12-8ubuntu1
3.21.12-8ubuntu5
3.21.12-8.2
3.21.12-8.2build1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "elpa-protobuf-mode",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-dev",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-java",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-lite32t64",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-lite32t64-dbgsym",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf32t64",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf32t64-dbgsym",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotoc-dev",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotoc32t64",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "libprotoc32t64-dbgsym",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "php-google-protobuf",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "protobuf-compiler",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "protobuf-compiler-dbgsym",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "python3-protobuf",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "python3-protobuf-dbgsym",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "ruby-google-protobuf",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        },
        {
            "binary_name": "ruby-google-protobuf-dbgsym",
            "binary_version": "3.21.12-8.2ubuntu0.1"
        }
    ],
    "availability": "No subscription required"
}

Ubuntu:25.04 / protobuf

Package

Name
protobuf
Purl
pkg:deb/ubuntu/protobuf@3.21.12-10ubuntu0.1?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.21.12-10ubuntu0.1

Affected versions

3.*

3.21.12-9ubuntu1
3.21.12-10
3.21.12-10build1
3.21.12-10build2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "elpa-protobuf-mode",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-dev",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-java",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-lite32t64",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf-lite32t64-dbgsym",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf32t64",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotobuf32t64-dbgsym",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotoc-dev",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotoc32t64",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "libprotoc32t64-dbgsym",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "php-google-protobuf",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "protobuf-compiler",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "protobuf-compiler-dbgsym",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "python3-protobuf",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "python3-protobuf-dbgsym",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "ruby-google-protobuf",
            "binary_version": "3.21.12-10ubuntu0.1"
        },
        {
            "binary_name": "ruby-google-protobuf-dbgsym",
            "binary_version": "3.21.12-10ubuntu0.1"
        }
    ],
    "availability": "No subscription required"
}