Skip to main content

Buffa

2 CVEs product

Monthly

CVE-2026-55407 MEDIUM PATCH This Month

Uncontrolled heap amplification in Buffa's protobuf decoder allows an unauthenticated remote attacker to crash any network-facing Rust service that decodes untrusted protobuf input under the default code-generation settings, with no exploit code required beyond a well-formed serialized message. The amplification mechanism - roughly 22× for nested StartGroup unknown fields - means a 64 MiB payload can force approximately 1.4 GiB of heap allocation, exhausting process memory and terminating the service. No active exploitation is confirmed (not in CISA KEV), and no public proof-of-concept has been identified at time of analysis, but the attack is trivially constructible from the public advisory.

Denial Of Service Buffa
NVD GitHub
CVSS 4.0
6.3
EPSS
0.6%
CVE-2026-55406 MEDIUM PATCH This Month

Use-after-free in Buffa's OwnedView<V> type allows safe Rust calling code to hold field references that outlive the backing buffer, enabling read of freed heap memory and information disclosure. Affected are all Buffa releases prior to 0.7.0 (CPE: cpe:2.3:a:anthropics:buffa:*:*:*:*:*:*:*:*). The flaw is a soundness violation - no unsafe code in the caller is required - making it particularly insidious in a memory-safe language context. No public exploit identified at time of analysis and no CISA KEV listing; the CVSS 4.0 score of 5.9 reflects the high-complexity exploitation conditions acknowledged by the vendor.

Buffer Overflow Information Disclosure Buffa
NVD GitHub
CVSS 4.0
5.9
EPSS
0.1%
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Uncontrolled heap amplification in Buffa's protobuf decoder allows an unauthenticated remote attacker to crash any network-facing Rust service that decodes untrusted protobuf input under the default code-generation settings, with no exploit code required beyond a well-formed serialized message. The amplification mechanism - roughly 22× for nested StartGroup unknown fields - means a 64 MiB payload can force approximately 1.4 GiB of heap allocation, exhausting process memory and terminating the service. No active exploitation is confirmed (not in CISA KEV), and no public proof-of-concept has been identified at time of analysis, but the attack is trivially constructible from the public advisory.

Denial Of Service Buffa
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Use-after-free in Buffa's OwnedView<V> type allows safe Rust calling code to hold field references that outlive the backing buffer, enabling read of freed heap memory and information disclosure. Affected are all Buffa releases prior to 0.7.0 (CPE: cpe:2.3:a:anthropics:buffa:*:*:*:*:*:*:*:*). The flaw is a soundness violation - no unsafe code in the caller is required - making it particularly insidious in a memory-safe language context. No public exploit identified at time of analysis and no CISA KEV listing; the CVSS 4.0 score of 5.9 reflects the high-complexity exploitation conditions acknowledged by the vendor.

Buffer Overflow Information Disclosure Buffa
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy