Skip to main content

Buffa CVE-2026-55406

| EUVDEUVD-2026-44949 MEDIUM
Information Exposure (CWE-200)
2026-07-16 GitHub_M
5.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.7 MEDIUM

Local vector because misuse requires specific application code pattern; AC:H for the non-default usage condition; C:H for freed-heap disclosure; I:L for theoretical memory corruption; no availability impact.

3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 18:18 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 16:36 vuln.today
Analysis Generated
Jul 16, 2026 - 16:36 vuln.today

DescriptionCVE.org

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static [u8], and the Deref implementation exposed the promoted 'static lifetime on borrowed view fields (such as &'static str and &'static [u8]) to callers, so the borrow checker permitted those references to outlive the OwnedView; once the OwnedView was dropped and its backing buffer freed, the references became dangling, enabling memory corruption, information disclosure of freed heap contents, and cross-thread misuse without any unsafe code in the calling application. This issue is fixed in version 0.7.0.

AnalysisAI

Use-after-free in Buffa's OwnedView<V> type allows safe Rust calling code to hold field references that outlive the backing buffer, enabling read of freed heap memory and information disclosure. Affected are all Buffa releases prior to 0.7.0 (CPE: cpe:2.3:a:anthropics:buffa:*:*:*:*:*:*:*:*). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker supplies protobuf payload
Delivery
Application decodes into OwnedView, stores field reference
Exploit
OwnedView dropped, Bytes buffer freed
Execution
Stored reference dangles into freed heap
Persist
Application reads dangling reference
Impact
Freed heap contents disclosed

Vulnerability AssessmentAI

Exploitation Exploitation requires calling application code that captures a view field reference (e.g., &str, &[u8]) from an OwnedView handle and holds that reference in a data structure or variable that outlives the OwnedView itself. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N) scores 5.9 (Medium), and the vendor's own CHANGELOG explicitly qualifies the exposure: 'in practice this required the calling application to deliberately store a field reference beyond the handle's lifetime, so the practical exposure is limited.' This is not a remotely triggerable flaw against a networked service endpoint; exploitation requires specific application-level code that retains OwnedView field references across the handle's drop point. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application decodes a protobuf message into an OwnedView<PersonView> and stores a field reference such as let name: &str = &*owned_view.name into a longer-lived struct or async task. When the OwnedView is subsequently dropped at end of scope, the underlying Bytes buffer is freed. …
Remediation Vendor-released patch: Buffa 0.7.0, available at https://github.com/anthropics/buffa/releases/tag/v0.7.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy