CVE-2026-6409

Summary

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Affected Software

VendorProductVersion RangeStatus
Protocol BuffersProtobuf-php (Pecl)0 < 5.34.0-RC1affected
Protocol BuffersProtobuf-php (Pecl)0 < 4.33.6affected

Weaknesses

  • CWE-20: CWE-20 Improper input validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References