CVE-2026-55407 in buffa情報

要約

〜によって MITRE • 2026年07月16日

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserve_unknown_fields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

責任者

GitHub M

予約する

2026年06月16日

モデレーション

承諾済み

エントリ

VDB-379583

EPSS

0.00000

アクティビティ

非常低い

ソース

Interested in the pricing of exploits?

See the underground prices here!