Hasty Briefsbeta

Bilingual

22x memory amp DoS in Anthropic's buffa protobuf decoder (CVE-2026-55407)

2 days ago
  • #Protobuf Decoding
  • #Memory Allocation
  • #Denial of Service
  • AI SAST identified a denial-of-service vulnerability in buffa's protobuf decoding via unknown-field handling.
  • A flat sink allocates memory ~2x input size, while a nested group sink amplifies tiny inputs by ~22x, causing OOM crashes.
  • The flaw affects default settings and was fixed in buffa and connectrpc 0.8.0 with a per-message unknown-field count limit.
  • Severity varies by deployment, with CVSS 4.0 scored as 6.3 (Moderate) for some profiles but higher for others.
  • Anthropic responded collaboratively, issued a CVE (CVE-2026-55407), and provided mitigation options like disabling unknown-field retention.