High severityGHSA Advisory· Published Apr 16, 2026· Updated Apr 17, 2026

CVE-2026-6409

Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
google/protobufPackagist	< 4.33.6	4.33.6

Affected products

Protocolbuffers/ProtobufGHSA
Range: < 4.33.6

Patches

c8e9b27d95c6

php: Fix that recursion limit is not enforced.

https://github.com/protocolbuffers/protobufProtobuf Team BotJan 14, 2026via ghsa

commit

2 files changed · +26 −1

php/src/Google/Protobuf/Internal/CodedInputStream.php+1 −1 modified

@@ -337,7 +337,7 @@ public function incrementRecursionDepthAndPushLimit(
         $byte_limit, &$old_limit, &$recursion_budget)
     {
         $old_limit = $this->pushLimit($byte_limit);
-        $recursion_limit = --$this->recursion_limit;
+        $recursion_budget = --$this->recursion_budget;
     }
 
     public function decrementRecursionDepthAndPopLimit($byte_limit)

php/tests/EncodeDecodeTest.php+25 −0 modified

@@ -603,6 +603,31 @@ public function testDecodeNegativeInt32()
         $this->assertEquals(-1, $m->getOptionalInt32());
     }
 
+    private function makeRecursiveMessage($depth) {
+        $m = new TestMessage();
+        $m->setOptionalInt32(1);
+        if ($depth == 0) {
+            return $m;
+        }
+        $m->setRecursive($this->makeRecursiveMessage($depth - 1));
+        return $m;
+    }
+
+    public function testRecursiveMessage() {
+        $payload = $this->makeRecursiveMessage(99)->serializeToString();
+
+        $m = new TestMessage();
+        $m->mergeFromString($payload);
+    }
+
+    public function testOverlyRecursiveMessage() {
+        $this->expectException(Exception::class);
+        $payload = $this->makeRecursiveMessage(101)->serializeToString();
+
+        $m = new TestMessage();
+        $m->mergeFromString($payload);
+    }
+
     public function testRandomFieldOrder()
     {
         $m = new TestRandomFieldOrder();

60e93d2d104f

Check that `readRaw` does not accept negative length value.

https://github.com/protocolbuffers/protobufProtobuf Team BotJan 13, 2026via ghsa

commit

2 files changed · +9 −1

php/src/Google/Protobuf/Internal/CodedInputStream.php+2 −1 modified

@@ -271,7 +271,8 @@ public function readTag()
     public function readRaw($size, &$buffer)
     {
         $current_buffer_size = 0;
-        if ($this->bufferSize() < $size) {
+        // size (varint) read from the wire could be negative.
+        if ($size < 0 || $this->bufferSize() < $size) {
             return false;
         }

php/tests/EncodeDecodeTest.php+7 −0 modified

@@ -603,6 +603,13 @@ public function testDecodeNegativeInt32()
         $this->assertEquals(-1, $m->getOptionalInt32());
     }
 
+    public function testInvalidVarintLength() {
+        $this->expectException(Exception::class);
+
+        $m = new TestMessage();
+        $m->mergeFromString(hex2bin("0afaffffff0f"));
+    }
+
     private function makeRecursiveMessage($depth) {
         $m = new TestMessage();
         $m->setOptionalInt32(1);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Russian hackers turn Kazuar backdoor into modular P2P botnet
BleepingComputer · May 16, 2026

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000