CVE-2026-6409
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-6409
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | google/protobuf | <4.33.6 | 4.33.6 |
References
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc
- https://nvd.nist.gov/vuln/detail/CVE-2026-6409
- https://github.com/protocolbuffers/protobuf/issues/24159
- https://github.com/protocolbuffers/protobuf/issues/25067
- https://github.com/protocolbuffers/protobuf/commit/60e93d2d104f2af9cd345b1c6f3891d91430244a
- https://github.com/protocolbuffers/protobuf/commit/c8e9b27d95c6ab2d0668b5889e7dac2c477b7038
- https://github.com/protocolbuffers/protobuf
- https://security-tracker.debian.org/tracker/CVE-2026-6409
Verify integrity in audit chain (admin only). AS-IS.