Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Default preserve_unknown_fields=true makes any network-exposed buffa service unauthenticated and exploitable at low complexity; process crash via OOM is high availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserve_unknown_fields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.
AnalysisAI
Uncontrolled heap amplification in Buffa's protobuf decoder allows an unauthenticated remote attacker to crash any network-facing Rust service that decodes untrusted protobuf input under the default code-generation settings, with no exploit code required beyond a well-formed serialized message. The amplification mechanism - roughly 22× for nested StartGroup unknown fields - means a 64 MiB payload can force approximately 1.4 GiB of heap allocation, exhausting process memory and terminating the service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three conditions to be simultaneously satisfied. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 with VA:L (low vulnerable-system availability impact) appears to understate real-world severity given the 22× amplification ratio described - a single moderately sized request crashing a process constitutes a complete denial of service, which typically warrants VA:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to any service that accepts serialized protobuf input sends a crafted 64 MiB message containing deeply nested StartGroup unknown fields. The buffa decoder materializes each unknown record into a ~40-byte heap struct without bound, driving allocation to approximately 1.4 GiB; the OS OOM killer or process allocator terminates the service. … |
| Remediation | The primary fix is to upgrade Buffa to version 0.8.0, available at https://github.com/anthropics/buffa/releases/tag/v0.8.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44951