Platform
php
Component
protobuf/protobuf
Fixed in
5.34.0-RC1
4.33.6
A Denial of Service (DoS) vulnerability has been identified in the Protobuf PHP library. This vulnerability arises during the parsing of untrusted input, where maliciously structured messages—specifically those containing negative varints or deep recursion—can trigger application crashes. The vulnerability affects versions 0.0.0 through 5.34.0-RC1 of Protobuf-php, potentially leading to service unavailability. Patches are available in versions 5.34.0-RC1 and 4.33.6.
The primary impact of CVE-2026-6409 is a Denial of Service (DoS). An attacker can craft malicious Protocol Buffer messages designed to exploit the parsing logic within Protobuf-php. These messages, characterized by the presence of negative varint values or excessive recursion, can overwhelm the application's resources, leading to a crash and subsequent service interruption. The blast radius extends to any application utilizing Protobuf-php to process untrusted input, potentially affecting critical services and user-facing applications. Successful exploitation doesn't lead to data exfiltration or code execution, but the disruption of service can have significant operational and financial consequences.
As of the public disclosure date (2026-04-16), there is no indication of active exploitation of CVE-2026-6409. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low, but the potential impact of a DoS attack warrants prompt mitigation.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-6409 is to upgrade to a patched version of Protobuf-php. Versions 5.34.0-RC1 and 4.33.6 contain the necessary fixes to prevent the DoS vulnerability. If an immediate upgrade is not feasible, consider implementing input validation to filter out messages containing negative varints or excessive recursion. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to inspect Protocol Buffer messages could potentially detect and block malicious payloads, but this requires specific rule customization. After upgrading, confirm the fix by sending a known malicious protobuf message to the application and verifying that it no longer crashes.
Update the Protobuf-php library to version 5.34.0-RC1 or higher to mitigate the denial of service vulnerability. Ensure you test the new version in a development environment before deploying to production. This update addresses the issue by improving the handling of malicious protobuf messages.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6409 is a Denial of Service vulnerability in Protobuf-php affecting versions 0.0.0–5.34.0-RC1. Maliciously crafted Protocol Buffer messages can cause application crashes, leading to service unavailability.
You are affected if your application uses Protobuf-php versions 0.0.0 through 5.34.0-RC1 and processes untrusted Protocol Buffer messages.
Upgrade to Protobuf-php version 5.34.0-RC1 or 4.33.6. Consider input validation as a temporary mitigation if an upgrade is not immediately possible.
As of the current date, there is no evidence of active exploitation or public proof-of-concept code for CVE-2026-6409.
Refer to the Protobuf-php project's security advisories and release notes for details on CVE-2026-6409 and the corresponding fixes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.