CVE-2026-6409 HIGH

CVE-2026-6409: Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input

Vendor Protocol Buffers

Product Protobuf-php (Pecl)

Weakness CWE-20 · Input validation

Published April 16, 2026

Last update April 16, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Key dates

Disclosure timeline

April 16, 2026 CVE published

April 16, 2026 Record updated

Identifiers

CVE CVE-2026-6409

CWE CWE-20

CVSS 7.1 / HIGH

Affected versions

Vendor Protocol Buffers

Product Protobuf-php (Pecl)

Affected < 5.34.0-RC1

Vendor Protocol Buffers

Product Protobuf-php (Pecl)

Affected < 4.33.6