CVE-2024-7254

Any project that parses untrusted Protocol Buffers datacontaining an arbitrary number of nested groups / series of SGROUPtags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GoogleCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Debian logo
Debian Releases
Debian Product
Codename
protobuf
bullseye
postponed
bookworm
no-dsa
trixie
vulnerable
sid
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
protobuf
plucky
Fixed 3.21.12-10ubuntu0.1
released
oracular
Fixed 3.21.12-9ubuntu1.1
released
noble
Fixed 3.21.12-8.2ubuntu0.1
released
jammy
Fixed 3.12.4-1ubuntu7.22.04.2
released
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
https://security.netapp.com/advisory/ntap-20241213-0010/
https://security.netapp.com/advisory/ntap-20250418-0006/