CVE-2024-7254

Any project that parses untrusted Protocol Buffers datacontaining an arbitrary number of nested groups / series of SGROUPtags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GoogleCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Debian logo
Debian Releases
Debian Product
Codename
protobuf
bullseye
postponed
bookworm
no-dsa
sid
3.21.12-11
fixed
trixie
3.21.12-11
fixed
rust-protobuf
sid
vulnerable
trixie
vulnerable
bookworm
no-dsa
bullseye
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
protobuf
plucky
needs-triage
oracular
Fixed 3.21.12-9ubuntu1.1
released
noble
Fixed 3.21.12-8.2ubuntu0.1
released
jammy
Fixed 3.12.4-1ubuntu7.22.04.2
released
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
https://security.netapp.com/advisory/ntap-20241213-0010/
https://security.netapp.com/advisory/ntap-20250418-0006/