Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector because misuse requires specific application code pattern; AC:H for the non-default usage condition; C:H for freed-heap disclosure; I:L for theoretical memory corruption; no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static [u8], and the Deref implementation exposed the promoted 'static lifetime on borrowed view fields (such as &'static str and &'static [u8]) to callers, so the borrow checker permitted those references to outlive the OwnedView; once the OwnedView was dropped and its backing buffer freed, the references became dangling, enabling memory corruption, information disclosure of freed heap contents, and cross-thread misuse without any unsafe code in the calling application. This issue is fixed in version 0.7.0.
AnalysisAI
Use-after-free in Buffa's OwnedView<V> type allows safe Rust calling code to hold field references that outlive the backing buffer, enabling read of freed heap memory and information disclosure. Affected are all Buffa releases prior to 0.7.0 (CPE: cpe:2.3:a:anthropics:buffa:*:*:*:*:*:*:*:*). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires calling application code that captures a view field reference (e.g., &str, &[u8]) from an OwnedView handle and holds that reference in a data structure or variable that outlives the OwnedView itself. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N) scores 5.9 (Medium), and the vendor's own CHANGELOG explicitly qualifies the exposure: 'in practice this required the calling application to deliberately store a field reference beyond the handle's lifetime, so the practical exposure is limited.' This is not a remotely triggerable flaw against a networked service endpoint; exploitation requires specific application-level code that retains OwnedView field references across the handle's drop point. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application decodes a protobuf message into an OwnedView<PersonView> and stores a field reference such as let name: &str = &*owned_view.name into a longer-lived struct or async task. When the OwnedView is subsequently dropped at end of scope, the underlying Bytes buffer is freed. … |
| Remediation | Vendor-released patch: Buffa 0.7.0, available at https://github.com/anthropics/buffa/releases/tag/v0.7.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44949