| Name | CVE-2026-6409 |
| Description | A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1134895 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| protobuf (PTS) | bullseye | 3.12.4-1+deb11u1 | vulnerable |
| bookworm | 3.21.12-3 | vulnerable | |
| trixie | 3.21.12-11 | vulnerable | |
| forky, sid | 3.21.12-15 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| protobuf | source | (unstable) | (unfixed) | 1134895 |
[trixie] - protobuf <no-dsa> (Minor issue)
[bookworm] - protobuf <no-dsa> (Minor issue)
[bullseye] - protobuf <postponed> (minor issue)
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc
https://github.com/protocolbuffers/protobuf/issues/24159
Fixed by: https://github.com/protocolbuffers/protobuf/commit/60e93d2d104f2af9cd345b1c6f3891d91430244a (v4.33.6)
https://github.com/protocolbuffers/protobuf/issues/25067
Fixed by: https://github.com/protocolbuffers/protobuf/commit/c8e9b27d95c6ab2d0668b5889e7dac2c477b7038 (v4.33.6)