CVE-2026-6409

Low

Low Medium High Critical

CVSS Score

Published: Apr 16, 2026

Last Modified: Apr 17, 2026

Vulnerability Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

References & Resources

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc
cve-coordination@google.com

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-20 Top 25 #14

Improper Input Validation

Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Exploit Likelihood: High
Typical Severity: High
Abstraction Level: Class

View CWE Details on MITRE

Key Information

Published Date: April 16, 2026

External Resources

NIST NVD

National Vulnerability Database

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages