CVE-2026-6409
Received Received - Intake
Denial of Service in Protobuf PHP via Malformed Input Parsing

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: Google Inc.

Description
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-6409
EUVD
EUVD-2026-23268
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google protobuf_php_library *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Denial of Service (DoS) issue in the Protobuf PHP library that occurs during the parsing of untrusted input.

Specifically, maliciously crafted messages containing negative varints or deep recursion can cause the application to crash.

This crash happens because the library cannot properly handle these specially structured inputs.


How can this vulnerability impact me? :

The primary impact of this vulnerability is a Denial of Service (DoS), meaning the affected application or service can crash and become unavailable.

This can disrupt normal operations and prevent legitimate users from accessing the service.

Since the vulnerability can be triggered remotely without privileges, it poses a significant risk to service availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability causes a Denial of Service (DoS) by crashing applications that parse maliciously structured Protobuf PHP messages, impacting service availability.

Since availability is a key component of many compliance frameworks such as GDPR and HIPAA, this vulnerability could negatively affect compliance by disrupting the availability of services that handle sensitive or regulated data.

However, specific impacts on compliance requirements or mitigation strategies are not detailed in the provided information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart