CVE-2026-6409

HIGH

Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input

Title source: cna

Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

References (1)

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc

Scores

CVSS v4 7.1

EPSS 0.0009

EPSS Percentile 25.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-20

Status published

Products (3)

google/protobuf 0 - 4.33.6Packagist

Protocol Buffers/Protobuf-php (Pecl) < 4.33.6

Protocol Buffers/Protobuf-php (Pecl) < 5.34.0-RC1

Published Apr 16, 2026

Tracked Since Apr 16, 2026