Denial of Service Vulnerability in Protobuf PHP Library by Protocol Buffers
CVE-2026-6409

7.1HIGH

Key Information:

Vendor: Protocol Buffers
Status: Protobuf-PHP (pecl)
Vendor: CVE Published:; 16 April 2026

🔔 Create Protocol Buffers Vulnerability Alert

What is CVE-2026-6409?

The Protobuf PHP library is susceptible to a Denial of Service (DoS) vulnerability during the parsing of untrusted input. Attackers can craft malicious messages, particularly those with negative varints or deep recursion, leading to application crashes and disruption of service availability. This vulnerability underscores the importance of proper input validation to mitigate potential threats.

Affected Version(s)

Protobuf-php (Pecl) 0 < 5.34.0-RC1

Protobuf-php (Pecl) 0 < 4.33.6

References

https://github.com/protocolbuffers/protobuf/security/advi...

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

https://github.com/34selen

CVE-2026-6409 Data

JSON