CVE-2026-55407 in buffa
Summary
by MITRE • 07/16/2026
Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserve_unknown_fields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in buffa's protobuf implementation represents a critical memory exhaustion flaw that directly impacts systems processing untrusted protobuf data. The root cause lies in the decode_unknown_field function which fails to enforce allocation budget constraints when handling unknown fields within serialized protobuf messages. This weakness specifically affects applications using code generation with preserve_unknown_fields=true, which is the default setting, making virtually all consumers of this library susceptible to exploitation. The flaw demonstrates a classic buffer overflow pattern where untrusted input controls heap memory allocation size, creating an avenue for denial-of-service attacks through resource exhaustion.
The technical execution of this vulnerability leverages the protobuf wire format's handling of unknown fields, particularly nested StartGroup and length-delimited field structures. When processing malformed payloads containing deeply nested unknown fields, the decoder exhibits severe memory amplification characteristics where small input data can trigger massive heap allocations. A payload of approximately 64 MiB can force the system to allocate around 1.4 GiB of heap memory, representing roughly 22x amplification. This exponential growth occurs because the decoder does not account for in-decode amplification when applying top-level message size limits, allowing attackers to bypass normal input validation mechanisms that would otherwise prevent oversized data processing.
From a cybersecurity perspective, this vulnerability aligns with multiple ATT&CK techniques including T1499.004 (Resource Hijacking) and T1566.001 (Phishing with Malicious Attachment), as it enables attackers to consume system resources without requiring complex exploitation chains. The vulnerability also maps to CWE-772 (Missing Release of Resource after Effective Lifetime) and CWE-1321 (Improper Handling of Highly Compressed Data), highlighting both the resource management failure and the insufficient handling of data compression effects in the decoding process. The memory amplification characteristics make this particularly dangerous for network services that process untrusted protobuf data, as attackers can craft payloads that consume minimal network bandwidth while generating massive memory consumption.
The operational impact extends beyond simple denial-of-service scenarios to potentially compromise system stability and availability of applications relying on buffa's protobuf processing capabilities. Systems processing protobuf data from external sources become vulnerable to resource exhaustion attacks, particularly affecting services running in constrained environments or those with limited memory resources. The vulnerability's exploitation does not require authentication, making it particularly dangerous for publicly exposed services that process user-provided protobuf data, such as API endpoints, message queues, or data ingestion pipelines. Organizations using buffa versions prior to 0.8.0 must urgently assess their exposure and implement mitigation strategies including input validation, rate limiting, and memory monitoring to prevent exploitation of this vulnerability.
The fix implemented in version 0.8.0 addresses the core issue by introducing proper allocation budget enforcement within the decode_unknown_field function. This update ensures that heap memory allocation remains proportional to the actual data size rather than allowing unbounded amplification through nested unknown fields. The solution demonstrates proper resource management practices aligned with secure coding standards and represents a critical security improvement for any application processing protobuf data from untrusted sources, effectively closing the memory exhaustion attack vector while maintaining backward compatibility with legitimate use cases.