{"id":"CVE-2021-22569","details":"An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.","aliases":["GHSA-wrvw-hg22-4m67"],"modified":"2026-04-11T13:53:52.174235Z","published":"2022-01-10T14:10:16.747Z","related":["CGA-p22x-xfxm-vx6h","SUSE-SU-2022:3922-1","SUSE-SU-2023:2783-1","SUSE-SU-2023:2783-2"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"},{"type":"ADVISORY","url":"https://cloud.google.com/support/bulletins#gcp-2022-001"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/01/12/4"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/01/12/7"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"0"},{"fixed":"cb46755e6405e083b45481f5ea4754b180705529"},{"introduced":"0"},{"fixed":"791a4355c365bd92720160671a7491be168055cb"},{"introduced":"89b14b1d16eba4d44af43256fc45b24a6a348557"},{"fixed":"6c6b0778b70f35f93c2f0dee30e5d12ad2a83eea"},{"introduced":"17b30e96476be70b8773b2b807bab857fd3ceb39"},{"fixed":"cb46755e6405e083b45481f5ea4754b180705529"},{"introduced":"0"},{"fixed":"6c6b0778b70f35f93c2f0dee30e5d12ad2a83eea"},{"introduced":"17b30e96476be70b8773b2b807bab857fd3ceb39"},{"fixed":"cb46755e6405e083b45481f5ea4754b180705529"},{"introduced":"0"},{"last_affected":"b464cfbee18c71c40e761a5273ad369f3547294b"},{"introduced":"0"},{"last_affected":"7062d0a2d0075d5e7d5c294fd3984df67a976da3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.19.2"},{"introduced":"0"},{"fixed":"3.16.1"},{"introduced":"3.18.0"},{"fixed":"3.18.2"},{"introduced":"3.19.0"},{"fixed":"3.19.2"},{"introduced":"0"},{"fixed":"3.18.2"},{"introduced":"3.19.0"},{"fixed":"3.19.2"},{"introduced":"0"},{"last_affected":"19c"},{"introduced":"0"},{"last_affected":"21c"}]}}],"versions":["v19.5","v2.6.0","v2.6.1rc1","v21.0","v21.0-rc1","v21.0-rc2","v3.0.0-alpha-3","v3.0.0-alpha-4","v3.0.0-beta-1","v3.0.0-beta-1-bzl-fix","v3.0.0-beta-2","v3.0.0-beta-3-pre-1","v3.12.3","v3.16.0","v3.16.0-rc1","v3.16.0-rc2","v3.18.0","v3.18.1","v3.19.0","v3.19.1","v3.19.2","v3.19.3","v3.19.4","v3.19.5","v3.20.0-rc2","v3.21.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T13:53:52Z","vanir_signatures":[{"signature_version":"v1","id":"CVE-2021-22569-007a6f1a","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/source_context.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-0c6a5439","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/any.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-297c786b","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/compiler/plugin.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-2ad1978c","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/field_mask.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-74dbca6c","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/type.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-7d3abc12","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/descriptor.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-a55a1d2a","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/wrappers.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-cbf5b140","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/timestamp.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-d147c29a","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/api.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-dec320e6","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/empty.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-f87ca39e","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/duration.pb.h"},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-22569-ff862195","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"target":{"file":"src/google/protobuf/struct.pb.h"},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22569.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}