Fabre

#1134895 protobuf: CVE-2026-6409 #1134895

Package:: src:protobuf

Source:: src:protobuf

Submitter:: Moritz Mühlenhoff

Date:: 2026-06-21 15:55:01 UTC

Severity:: normal

Tags:

#1134895#5

Date:: 2026-04-25 12:15:57 UTC

From:

To:

Hi,

The following vulnerability was published for protobuf.

CVE-2026-6409[0]:
| A Denial of Service (DoS) vulnerability exists in the Protobuf PHP
| library during the parsing of untrusted input. Maliciously
| structured messages—specifically those containing negative varints
| or deep recursion—can be used to crash the application, impacting
| service availability.

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc

https://github.com/protocolbuffers/protobuf/issues/24159
https://github.com/protocolbuffers/protobuf/commit/60e93d2d104f2af9cd345b1c6f3891d91430244a (v4.33.6)
https://github.com/protocolbuffers/protobuf/issues/25067
https://github.com/protocolbuffers/protobuf/commit/c8e9b27d95c6ab2d0668b5889e7dac2c477b7038 (v4.33.6)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-6409
https://www.cve.org/CVERecord?id=CVE-2026-6409

Please adjust the affected versions in the BTS as needed.

#1134895#16

Date:: 2026-06-21 13:19:54 UTC

From:

To:

Dear maintainer,

I've prepared an NMU for protobuf (versioned as 3.21.12-15.1) and
uploaded it to DELAYED/7. Please feel free to tell me if I should
cancel it.

cu
Adrian

#1134895#21

Date:: 2026-06-21 14:08:26 UTC

From:

To:

Hi Adrian,
 Thanks for your work. If you ping me, I apply your patches and the
NMU is not necessary.
Still, the upload with your changes is in progress.

Cheers,
Laszlo/GCS

#1134895#26

Date:: 2026-06-21 14:33:53 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1134895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated protobuf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 21 Jun 2026 15:36:07 +0200
Source: protobuf
Architecture: source
Version: 3.21.12-16
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1126302 1134895
Changes:
 protobuf (3.21.12-16) unstable; urgency=medium
 .
   [ Adrian Bunk <bunk@debian.org> ]
   * Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302).
   * Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895).
Checksums-Sha1:
 8008be478cbff43043aedfd5c7d725f42889cff4 3073 protobuf_3.21.12-16.dsc
 af34331566c514742aa230acf04ffb285be4f79a 49176 protobuf_3.21.12-16.debian.tar.xz
Checksums-Sha256:
 17d46b94cf664e3711bf63b6847d14db255c77035a96603f56469c76a1866573 3073 protobuf_3.21.12-16.dsc
 30b0925b802e58cb4883dd414f64dfbc50b139893da7f65c3a9f42a97a785f82 49176 protobuf_3.21.12-16.debian.tar.xz
Files:
 a6b7b363a7928e08f442575be04dfb0d 3073 devel optional protobuf_3.21.12-16.dsc
 40351a274987c4cc79f0ec85be30b1ed 49176 devel optional protobuf_3.21.12-16.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo375cACgkQ3OMQ54ZM
yL+Fuw//YLOgc61F7SHcGv7YY0+v9qNSBap4wrLVxed098qUKnSE8LJtBoC8i8TX
d36ZkRr3HZ1NqZYZmSAw/iFtdGYKfx2cjNn+iH12D0X+ARE2u6A/g3q/ejxqgz+o
xQ0085kzkuGTFV3Q0e44s3XvX7cvjghD4/AfqgElOOLo1oZC1U9HNHMWNu6sfzXX
45dnaq1TWk6J3arNbwGETLogP1O4BlzQS8gjGRTujq2ijA9gG8ZMoGpoXgo+c3n8
g5PO0LpukfhnkC0EAohiwdjGajh2xu/OH93+mQapLRmAX20AC6U9/xQJktO5c1SS
TkPgVGOq6K9mmGo5cNeYpxBBIxytWSibQUSIStdymE6YQg/S9Lz6DidrYAIlyjit
+U79nQAl1WwxImYcMl58YZ7+zLEFB3GmlDX2xeWQcaT+uD7GBfr5ywEKo/btKmZW
yow3gVi3eO7C9T6i74EUfBNSYWGk7GgCaTnNcq3tRlD0ip6q9m0dmTdQn1hMB4gS
DP6URRHzl6FVPWkmzCbx2ZLeHqz5mvxcdklEFGKr4PYqTX/cpRoeLGQ8xkaKcViL
RgPBVE5LJe6fCoyNM0bhkJ1BB3t9Qc23ZqZrcCFjp8LsARY1f7mB2UMh8rYnfi/V
BAzrgh9REeVzbjRLpiJVgLKUjF3NPxoVTb9weO0JfiUKNouQaMg=
=KgAU
-----END PGP SIGNATURE-----

#1134895#31

Date:: 2026-06-21 15:52:45 UTC

From:

To:

Hi László,

I guessed that you would react quickly, but it's still faster for me to
do the NMU to delayed:

Preparing an NMU is not more work for me than sending patches to the BTS.

And in the many cases where a maintainer does not react it saves me the
additional work to later revisit the package and do an NMU.

cu
Adrian

#1134895 protobuf: CVE-2026-6409 #1134895

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)