CVE-2026-55407
Deferred Deferred - Pending Action

Heap Exhaustion in Buffa Protobuf Decoder

Vulnerability report for CVE-2026-55407, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserve_unknown_fields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
buffa buffa to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a memory exhaustion denial of service in the Buffa Rust library's protobuf decoder. It occurs because the decode_unknown_field function allocates heap memory proportional to untrusted input without enforcing an allocation budget. Attackers can send small payloads with nested unknown fields to trigger massive memory amplification, causing processes to crash due to memory exhaustion.

Detection Guidance

Detecting this vulnerability requires monitoring for excessive memory usage during protobuf decoding. Check for processes using buffa with preserve_unknown_fields=true that show memory spikes disproportionate to input size. Use system monitoring tools like top, htop, or ps to observe memory consumption during protobuf parsing operations.

Impact Analysis

An unauthenticated attacker could exploit this to crash applications processing untrusted protobuf data by sending specially crafted payloads. This leads to denial of service, system unavailability, and potential service disruptions. Systems using preserve_unknown_fields=true (default) are particularly vulnerable.

Compliance Impact

This vulnerability primarily impacts system availability through memory exhaustion, which could lead to service disruptions. It does not directly affect confidentiality or integrity of data. Compliance with standards like GDPR or HIPAA typically focuses on data protection and availability. While this issue could cause downtime, it does not inherently violate these regulations unless it leads to unauthorized data access or prolonged unavailability of critical systems.

Mitigation Strategies

Upgrade to buffa version 0.8.0 or later. Alternatively, set preserve_unknown_fields=false in generated code. For connectrpc users, ensure DEFAULT_MAX_MESSAGE_SIZE is enforced. Monitor for unknown field limit errors in logs after applying fixes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart