Denial of Service (DoS) vulnerability exists in the Protobuf PHP...

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Basic Information

ID CVE-2026-6409

Source Google

Published Apr 16, 2026 at 14:30

Affected Product

Vendor Protocol Buffers

Product Protobuf-php (Pecl)

Affected Versions Protocol Buffers Protobuf-php (Pecl) 0
Protocol Buffers Protobuf-php (Pecl) 0

CWE Classification

CWE-20

References

github.com /protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc

{
    "lastseen": "",
    "description": "A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages\u2014specifically those containing negative\u00a0varints or deep recursion\u2014can be used to crash the application, impacting service availability.",
    "published": "2026-04-16T14:30:51.568Z",
    "modified": "2026-04-16T14:30:51.568Z",
    "type": "cve",
    "title": "Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input",
    "source": "Google",
    "references": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc",
    "id": "CVE-2026-6409",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "Protocol Buffers Protobuf-php (Pecl) 0\nProtocol Buffers Protobuf-php (Pecl) 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Protobuf-php (Pecl)",
    "version": "0",
    "vendor": "Protocol Buffers",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input_CVE-2026-6409