CVE-2026-6409

HIGH

Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input

Title source: cna

Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

References (1)

Core 1

Core References

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc

Scores

CVSS v4 7.1

EPSS 0.0036

EPSS Percentile 27.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (3)

google/protobuf 0 - 4.33.6Packagist

Protocol Buffers/Protobuf-php (Pecl) < 4.33.6

Protocol Buffers/Protobuf-php (Pecl) < 5.34.0-RC1

Published Apr 16, 2026

Tracked Since Apr 16, 2026