Skip to main content

Buffa EUVDEUVD-2026-44951

| CVE-2026-55407 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-07-16 GitHub_M
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Default preserve_unknown_fields=true makes any network-exposed buffa service unauthenticated and exploitable at low complexity; process crash via OOM is high availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 18:18 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 16:37 vuln.today
Analysis Generated
Jul 16, 2026 - 16:37 vuln.today

DescriptionCVE.org

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserve_unknown_fields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.

AnalysisAI

Uncontrolled heap amplification in Buffa's protobuf decoder allows an unauthenticated remote attacker to crash any network-facing Rust service that decodes untrusted protobuf input under the default code-generation settings, with no exploit code required beyond a well-formed serialized message. The amplification mechanism - roughly 22× for nested StartGroup unknown fields - means a 64 MiB payload can force approximately 1.4 GiB of heap allocation, exhausting process memory and terminating the service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-exposed buffa protobuf endpoint
Delivery
Craft 64 MiB payload with nested StartGroup unknown fields
Exploit
Submit unauthenticated protobuf request
Execution
Decoder materializes ~22× amplified heap objects
Persist
Process exhausts available memory
Impact
Service crash (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires three conditions to be simultaneously satisfied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with VA:L (low vulnerable-system availability impact) appears to understate real-world severity given the 22× amplification ratio described - a single moderately sized request crashing a process constitutes a complete denial of service, which typically warrants VA:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to any service that accepts serialized protobuf input sends a crafted 64 MiB message containing deeply nested StartGroup unknown fields. The buffa decoder materializes each unknown record into a ~40-byte heap struct without bound, driving allocation to approximately 1.4 GiB; the OS OOM killer or process allocator terminates the service. …
Remediation The primary fix is to upgrade Buffa to version 0.8.0, available at https://github.com/anthropics/buffa/releases/tag/v0.8.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44951 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy