CVE-2026-6409 — Protobuf: Denial of Service issue through malicious messages containing negative

Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

How to fix CVE-2026-6409

To remediate CVE-2026-6409, upgrade the affected package to a fixed version below.

Debian/protobuf—no fix listed
Packagist/google/protobuf—upgrade to 4.33.6 or later

Is CVE-2026-6409 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 4.33.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-6409
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-6409
PATCHgithub.com/protocolbuffers/protobuf
WEBgithub.com/protocolbuffers/protobuf/commit/60e93d2d104f2af9cd345b1c6f3891d91430244a