22x memory amp DoS in Anthropic's buffa protobuf decoder (CVE-2026-55407)
2 days ago
- #Protobuf Decoding
- #Memory Allocation
- #Denial of Service
- AI SAST identified a denial-of-service vulnerability in buffa's protobuf decoding via unknown-field handling.
- A flat sink allocates memory ~2x input size, while a nested group sink amplifies tiny inputs by ~22x, causing OOM crashes.
- The flaw affects default settings and was fixed in buffa and connectrpc 0.8.0 with a per-message unknown-field count limit.
- Severity varies by deployment, with CVSS 4.0 scored as 6.3 (Moderate) for some profiles but higher for others.
- Anthropic responded collaboratively, issued a CVE (CVE-2026-55407), and provided mitigation options like disabling unknown-field retention.