CVE-2021-22569
HIGH7.5EPSS 0.47%protobuf - security update
Published: 1/7/2022Modified: 4/28/2026
Description
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Affected packages (5)
- Debian/protobuffrom 0, < 3.12.4-1+deb11u1
- Debian/protobuffrom 0, < 3.6.1.3-2+deb10u1
- Maven/com.google.protobuf:protobuf-javafrom 0, < 3.16.1
- Maven/com.google.protobuf:protobuf-kotlin>= 3.18.0, < 3.18.2
- RubyGems/google-protobuffrom 0, < 3.19.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-22569
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-22569
- PATCHhttps://github.com/protocolbuffers/protobuf
- WEBhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
- WEBhttps://cloud.google.com/support/bulletins#gcp-2022-001
- WEBhttps://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttp://www.openwall.com/lists/oss-security/2022/01/12/4
- WEBhttp://www.openwall.com/lists/oss-security/2022/01/12/7