CVE-2026-45799
Received Received - Intake

ByteArrayProtoReader32 Negative Skip in Wire

Vulnerability report for CVE-2026-45799, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Wire provides gRPC and protocol buffers for Android, Kotlin, Swift, and Java. Prior to 6.3.0 and 7.0.0-alpha03, ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() in wire-runtime do not validate that a LENGTH_DELIMITED field length is non-negative before skip(), allowing a crafted protobuf varint encoding -128 as a signed Int to make skip(-128) move the internal position negative and make the next readByte() throw ArrayIndexOutOfBoundsException instead of the documented IOException or ProtocolException, which can crash services using ProtoAdapter.decode(byte[]) on untrusted payloads. This issue is fixed in versions 6.3.0 and 7.0.0-alpha03.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
wire wire-runtime to 7.0.0-alpha03 (exc)
square wire 6.3.0
square wire 7.0.0-alpha03
square wire to 6.3.0 (exc)
square wire to 7.0.0-alpha03 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves a missing check for negative-length values in Wire's protobuf group-skipping functions. A crafted payload with a negative length (encoded as -128) causes an internal position counter to underflow, leading to an ArrayIndexOutOfBoundsException instead of proper error handling. This crashes services decoding untrusted payloads.

Detection Guidance

Detecting this vulnerability requires checking the Wire library version in use. Commands like 'find . -name "*.jar" -exec jar tf {} \; | grep -i wire' or 'mvn dependency:tree' in Java projects can help identify the Wire version. If the version is below 6.3.0 or 7.0.0-alpha03, the system is vulnerable.

Impact Analysis

This vulnerability can crash services that decode untrusted protobuf payloads using Wire. It allows denial-of-service attacks by causing unexpected runtime exceptions, potentially disrupting service availability.

Mitigation Strategies

Upgrade the Wire library to version 6.3.0 or later for 6.x branches, or 7.0.0-alpha03 or later for 7.x branches. Avoid decoding untrusted protobuf payloads until the upgrade is complete. Monitor for crashes in services using Wire's protobuf decoding.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart