{"id":"CVE-2026-6409","summary":"Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input","details":"A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.","aliases":["GHSA-p2gh-cfq4-4wjc"],"modified":"2026-07-17T19:05:52.739799Z","published":"2026-04-16T14:30:51.568Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6409.json","cna_assigner":"Google","cwe_ids":["CWE-20"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6409.json"},{"type":"ADVISORY","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6409"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"0"},{"fixed":"a651c245d882895ef9de80a02b85ef8271156a13"},{"fixed":"6e1998413a5bca7c058b85999667893f167434bc"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"5.34.0-RC1"},{"fixed":"4.33.6"}],"source":"AFFECTED_FIELD"}}],"versions":["v27-dev","v26-dev","v28-dev","v33-dev","v4.33.0-rc1-objectivec","v33.0-rc1","v32-dev","v31-dev","rust-prerelease-4.31.0-beta1","v30-dev","rust-prerelease-4.30.0-beta1","v29-dev","v3.20.0-rc2","v3.12.3","v3.0.0-beta-3-pre-1","v3.0.0-beta-2","v3.0.0-beta-1-bzl-fix","v3.0.0-beta-1","v3.0.0-alpha-4","v3.0.0-alpha-3","v2.6.1rc1","v2.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6409.json","vanir_signatures_modified":"2026-07-17T19:05:52Z","vanir_signatures":[{"target":{"file":"src/google/protobuf/wrappers.pb.h"},"deprecated":false,"digest":{"line_hashes":["293587433391502417172988884473184163216","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-028d96fb","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13"},{"signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/6e1998413a5bca7c058b85999667893f167434bc","target":{"file":"java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"},"deprecated":false,"digest":{"line_hashes":["333170449206135040106821312145359843255","280015746586202993717428809723835945131","33629295250416755498067831215155967102","215908973485308819892957006685588128161"],"threshold":0.9},"id":"CVE-2026-6409-0464d8d8","signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/api.pb.h"},"deprecated":false,"digest":{"line_hashes":["242044830337533364415036252816020343776","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-050cb0eb","signature_type":"Line"},{"signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/timestamp.pb.h"},"deprecated":false,"digest":{"line_hashes":["308740214268374788873652203696633162152","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-17aa41eb"},{"source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/field_mask.pb.h"},"deprecated":false,"digest":{"line_hashes":["98733759163156666860414000799353510873","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-17d65a8a","signature_type":"Line","signature_version":"v1"},{"digest":{"line_hashes":["135065695527964093886488623779684532153","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-211de60c","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/empty.pb.h"},"deprecated":false},{"id":"CVE-2026-6409-23abedc3","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/struct.pb.h"},"deprecated":false,"digest":{"line_hashes":["111393161344815088188651509583831737488","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9}},{"deprecated":false,"digest":{"line_hashes":["239274286640701806485802098800052541016","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-2698561b","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/duration.pb.h"}},{"signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/any.pb.h"},"deprecated":false,"digest":{"line_hashes":["105566796257300201076777150700032360669","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-30136eeb"},{"signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/cpp_features.pb.h"},"deprecated":false,"digest":{"line_hashes":["197705528284598073415371824521333691909","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-72919372"},{"target":{"file":"java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["20810329268721340310766549515082347273","329995525058581828883932521799122571978","283206227101758475225173215830832117357","215908973485308819892957006685588128161"]},"id":"CVE-2026-6409-820fe68a","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13"},{"signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/compiler/plugin.pb.h"},"deprecated":false,"digest":{"line_hashes":["278684249155769608502554103167593690099","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-92cbbc4c","signature_type":"Line"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["124657712507254369188846260870108919885","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"]},"id":"CVE-2026-6409-94a3f3c8","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/source_context.pb.h"}},{"signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/compiler/java/java_features.pb.h"},"deprecated":false,"digest":{"line_hashes":["140029083026550160416652785551918370363","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-9a32db23","signature_type":"Line"},{"deprecated":false,"digest":{"line_hashes":["3225823212780723886126869657009806110","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-add9e9cf","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/descriptor.pb.h"}},{"deprecated":false,"digest":{"line_hashes":["39824730187551357074663387166503072673","283805727036866803825225166658158933342","238210429121914992134384152134703349305","76302580530912882639147250337661808496","128900572252551353919169131760864236249"],"threshold":0.9},"id":"CVE-2026-6409-e93c9ac5","signature_type":"Line","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/a651c245d882895ef9de80a02b85ef8271156a13","target":{"file":"src/google/protobuf/type.pb.h"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}