{"id":"CVE-2022-3510","details":"A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\n\n","aliases":["GHSA-4gg5-vx3j-xwc7"],"modified":"2026-04-11T23:41:54.318240Z","published":"2022-12-12T13:15:14.670Z","related":["CGA-xh3h-x9r4-vx6v"],"references":[{"type":"FIX","url":"https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"2dc747c574b68a808ea4699d26942c8132fe2b09"},{"fixed":"b8c2488f480bbe3d66b9874c2fcd434201caa48a"},{"introduced":"17b30e96476be70b8773b2b807bab857fd3ceb39"},{"fixed":"5cba162a5d93f8df786d828621019e03e50edb4f"},{"introduced":"bc799d78f81115940eec953e2937245c70e3e6e4"},{"fixed":"fe271ab76f2ad2b2b28c10443865d2af21e27e0e"},{"introduced":"7062d0a2d0075d5e7d5c294fd3984df67a976da3"},{"fixed":"54489e95e01882407f356f83c9074415e561db00"},{"introduced":"2dc747c574b68a808ea4699d26942c8132fe2b09"},{"fixed":"b8c2488f480bbe3d66b9874c2fcd434201caa48a"},{"introduced":"652d99a8ee8aa6b801e11977951fbf444cfccc8f"},{"fixed":"5cba162a5d93f8df786d828621019e03e50edb4f"},{"introduced":"bc799d78f81115940eec953e2937245c70e3e6e4"},{"fixed":"fe271ab76f2ad2b2b28c10443865d2af21e27e0e"},{"introduced":"7062d0a2d0075d5e7d5c294fd3984df67a976da3"},{"fixed":"54489e95e01882407f356f83c9074415e561db00"},{"fixed":"db7c17803320525722f45c1d26fc08bc41d1bf48"}],"database_specific":{"versions":[{"introduced":"3.16.0"},{"fixed":"3.16.3"},{"introduced":"3.19.0"},{"fixed":"3.19.6"},{"introduced":"3.20.0"},{"fixed":"3.20.3"},{"introduced":"3.21.0"},{"fixed":"3.21.7"},{"introduced":"3.16.0"},{"fixed":"3.16.3"},{"introduced":"3.17.0"},{"fixed":"3.19.6"},{"introduced":"3.20.0"},{"fixed":"3.20.3"},{"introduced":"3.21.0"},{"fixed":"3.21.7"}]}}],"versions":["v3.16.0","v3.16.1","v3.19.0","v3.19.1","v3.19.2","v3.19.3","v3.19.4","v3.20.0","v3.20.0-rc3","v3.20.1","v3.20.1-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-11T23:41:54Z","vanir_signatures":[{"target":{"file":"src/google/protobuf/compiler/plugin.pb.h"},"id":"CVE-2022-3510-188035fa","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/descriptor.pb.h"},"id":"CVE-2022-3510-1a4951d1","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/wrappers.pb.h"},"id":"CVE-2022-3510-2069b3da","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/any.pb.h"},"id":"CVE-2022-3510-2f6d50fa","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/wrappers.pb.h"},"id":"CVE-2022-3510-3c760779","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/field_mask.pb.h"},"id":"CVE-2022-3510-4e70c1e4","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/descriptor.pb.h"},"id":"CVE-2022-3510-51960048","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/timestamp.pb.h"},"id":"CVE-2022-3510-610f4e97","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/api.pb.h"},"id":"CVE-2022-3510-6bc36508","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/compiler/plugin.pb.h"},"id":"CVE-2022-3510-7b523458","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/timestamp.pb.h"},"id":"CVE-2022-3510-7b59bb12","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/type.pb.h"},"id":"CVE-2022-3510-892436e4","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/any.pb.h"},"id":"CVE-2022-3510-8c2e0192","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/api.pb.h"},"id":"CVE-2022-3510-8ec1c149","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/empty.pb.h"},"id":"CVE-2022-3510-97dee356","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/type.pb.h"},"id":"CVE-2022-3510-9c5325d9","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/empty.pb.h"},"id":"CVE-2022-3510-b0f21209","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/duration.pb.h"},"id":"CVE-2022-3510-c1227f64","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/duration.pb.h"},"id":"CVE-2022-3510-c9c7f1ec","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/field_mask.pb.h"},"id":"CVE-2022-3510-d5e132eb","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/source_context.pb.h"},"id":"CVE-2022-3510-ebeb0e90","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"},{"target":{"file":"src/google/protobuf/struct.pb.h"},"id":"CVE-2022-3510-f9310ee7","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/source_context.pb.h"},"id":"CVE-2022-3510-f931a154","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_version":"v1"},{"target":{"file":"src/google/protobuf/struct.pb.h"},"id":"CVE-2022-3510-fd9bc12e","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3510.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}