CVE-2026-6409
Received Received - Intake
Denial of Service in Protobuf PHP via Malformed Input Parsing

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: Google Inc.

Description
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6409
EUVD
EUVD-2026-23268
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google protobuf_php_library *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Denial of Service (DoS) issue in the Protobuf PHP library that occurs during the parsing of untrusted input.

Specifically, maliciously crafted messages containing negative varints or deep recursion can cause the application to crash.

This crash happens because the library cannot properly handle these specially structured inputs.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS), meaning the affected application or service can crash and become unavailable.

This can disrupt normal operations and prevent legitimate users from accessing the service.

Since the vulnerability can be triggered remotely without privileges, it poses a significant risk to service availability.

Compliance Impact

This vulnerability causes a Denial of Service (DoS) by crashing applications that parse maliciously structured Protobuf PHP messages, impacting service availability.

Since availability is a key component of many compliance frameworks such as GDPR and HIPAA, this vulnerability could negatively affect compliance by disrupting the availability of services that handle sensitive or regulated data.

However, specific impacts on compliance requirements or mitigation strategies are not detailed in the provided information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6409. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart