{"id":"PYSEC-2026-684","summary":"Memory leak in Nanopb","details":"### Impact\nDecoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed.\n\n### Patches\nPreliminary patch is [available on git](https://github.com/nanopb/nanopb/commit/edf6dcbffee4d614ac0c2c1b258ab95185bdb6e9) and problem will be patched in versions 0.3.9.7 and 0.4.4 once testing has been completed.\n\n### Workarounds\nFollowing workarounds are available:\n* Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code.\n* Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed.\n* Use an arena allocator for nanopb, to make sure all memory can be released afterwards.\n\n### References\nBug report: https://github.com/nanopb/nanopb/issues/615\n\n### For more information\nIf you have any questions or comments about this advisory, comment on the bug report linked above.","aliases":["CVE-2020-26243","GHSA-85rr-4rh9-hhwh"],"modified":"2026-07-06T08:00:39.967579107Z","published":"2026-07-02T14:13:09.752037Z","references":[{"type":"WEB","url":"https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26243"},{"type":"WEB","url":"https://github.com/nanopb/nanopb/issues/615"},{"type":"WEB","url":"https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c"},{"type":"WEB","url":"https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt"},{"type":"PACKAGE","url":"https://pypi.org/project/nanopb"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-85rr-4rh9-hhwh"}],"affected":[{"package":{"name":"nanopb","ecosystem":"PyPI","purl":"pkg:pypi/nanopb"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.3.2"},{"fixed":"0.3.9.7"},{"introduced":"0.4.0"},{"fixed":"0.4.4"}]}],"versions":["0.3.9.4.post3","0.3.9.5","0.3.9.6","0.4.0","0.4.1","0.4.1.dev1003","0.4.1.dev1007","0.4.1.dev1012","0.4.1.dev1013","0.4.1.dev1017","0.4.1.dev1036","0.4.1.dev959","0.4.1.dev961","0.4.1.dev962","0.4.1.dev964","0.4.1.dev971","0.4.1.dev978","0.4.1.dev980","0.4.1.dev985","0.4.1.dev987","0.4.1.dev988","0.4.1.dev996","0.4.1.dev997","0.4.2","0.4.2.dev1041","0.4.2.dev1043","0.4.2.dev1044","0.4.2.dev1045","0.4.2.dev1048","0.4.2.dev1050","0.4.2.dev1053","0.4.2.dev1054","0.4.2.dev1055","0.4.2.dev1058","0.4.2.dev1059","0.4.2.dev1063","0.4.2.dev1066","0.4.2.dev1070","0.4.2.dev1071","0.4.2.dev1072","0.4.2.dev1076","0.4.2.dev1088","0.4.2.dev1091","0.4.3","0.4.3.dev1128","0.4.3.dev1131","0.4.3.dev1132","0.4.3.dev1133","0.4.3.dev1137","0.4.3.dev1150","0.4.3.dev1164","0.4.3.dev1172","0.4.3.dev1175","0.4.3.dev1177","0.4.4.dev1181","0.4.4.dev1182","0.4.4.dev1184","0.4.4.dev1185","0.4.4.dev1188","0.4.4.dev1192","0.4.4.dev1193"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nanopb/PYSEC-2026-684.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}