{"id":"PYSEC-2026-899","summary":"protobuf-cpp and protobuf-python have potential Denial of Service issue","details":"### Summary\n\nA message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.\n\nReporter: [ClusterFuzz](https://google.github.io/clusterfuzz/)\n\nAffected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.\n\n### Severity & Impact\nAs scored by google  \n**Medium 5.7** - [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)  \nAsscored byt NIST  \n**High 7.5** - [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nA small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.\n\n### Proof of Concept\n\nFor reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.\n\n### Mitigation / Patching\n\nPlease update to the latest available versions of the following packages:\n- protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)\n- protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)","aliases":["CVE-2022-1941","GHSA-8gq9-2x98-w8hf"],"modified":"2026-07-07T11:45:17.408026989Z","published":"2026-07-07T10:17:22.281659Z","references":[{"type":"WEB","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1941"},{"type":"WEB","url":"https://cloud.google.com/support/bulletins#GCP-2022-019"},{"type":"PACKAGE","url":"https://github.com/protocolbuffers/protobuf"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20240705-0001"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2022/09/27/1"},{"type":"PACKAGE","url":"https://pypi.org/project/protobuf"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8gq9-2x98-w8hf"}],"affected":[{"package":{"name":"protobuf","ecosystem":"PyPI","purl":"pkg:pypi/protobuf"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.18.3"},{"introduced":"3.19.0"},{"fixed":"3.19.5"},{"introduced":"3.20.0"},{"fixed":"3.20.2"},{"introduced":"4.0.0"},{"fixed":"4.21.6"}]}],"versions":["2.0.0beta","2.0.3","2.3.0","2.4.1","2.5.0","2.6.0","2.6.1","3.0.0","3.0.0a2","3.0.0a3","3.0.0b1","3.0.0b1.post1","3.0.0b1.post2","3.0.0b2","3.0.0b2.post1","3.0.0b2.post2","3.0.0b3","3.0.0b4","3.1.0","3.1.0.post1","3.10.0","3.10.0rc1","3.11.0","3.11.0rc1","3.11.0rc2","3.11.1","3.11.2","3.11.3","3.12.0","3.12.0rc1","3.12.0rc2","3.12.1","3.12.2","3.12.4","3.13.0","3.13.0rc3","3.14.0","3.14.0rc1","3.14.0rc2","3.14.0rc3","3.15.0","3.15.0rc1","3.15.0rc2","3.15.1","3.15.2","3.15.3","3.15.4","3.15.5","3.15.6","3.15.7","3.15.8","3.16.0","3.16.0rc1","3.16.0rc2","3.17.0","3.17.0rc1","3.17.0rc2","3.17.1","3.17.2","3.17.3","3.18.0","3.18.0rc1","3.18.0rc2","3.18.1","3.19.0","3.19.1","3.19.2","3.19.3","3.19.4","3.2.0","3.2.0rc1","3.2.0rc1.post1","3.2.0rc2","3.20.0","3.20.1","3.20.1rc1","3.3.0","3.4.0","3.5.0.post1","3.5.1","3.5.2","3.5.2.post1","3.6.0","3.6.1","3.7.0","3.7.0rc2","3.7.0rc3","3.7.1","3.8.0","3.8.0rc1","3.9.0","3.9.0rc1","3.9.1","3.9.2","4.21.0","4.21.0rc1","4.21.0rc2","4.21.1","4.21.2","4.21.3","4.21.4","4.21.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/protobuf/PYSEC-2026-899.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}