CVE-2026-6409

Published: April 16th, 2026

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Unknown
CVSS v2:

Status

DocFilters Release	Package	State	Justification	Comment
26.2	protobuf (3.0.0)	Not Affected	Code Not Present	CVE-2026-6409 affects the Protobuf PHP PECL extension (versions < 4.33.6 and < 5.34.0-RC1), specifically php/src/Google/Protobuf/Internal/CodedInputStream.php. Document Filters uses the C++ protobuf library v3.0.0 compiled from source. The PHP directory does not exist in our protobuf-3.0.0 tree, and the vulnerable PHP CodedInputStream class is not compiled, bundled, or used by Document Filters.
26.1	protobuf (3.0.0)	Needs Triage
25.4	protobuf (3.0.0)	Needs Triage
25.3	protobuf (3.0.0)	Needs Triage
25.2	protobuf (3.0.0)	Needs Triage
25.1	protobuf (3.0.0)	Needs Triage
24.4	protobuf (3.0.0)	Needs Triage
24.4.0	protobuf (3.0.0)	Needs Triage
24.3	protobuf (3.0.0)	Needs Triage
24.2	protobuf (3.0.0)	Needs Triage
24.1	protobuf (3.0.0)	Needs Triage
23.3	protobuf (3.0.0)	Needs Triage
23.2	protobuf (3.0.0)	Needs Triage
23.1	protobuf (3.0.0)	Needs Triage
22.4	protobuf (3.0.0)	Needs Triage
22.3	protobuf (3.0.0)	Needs Triage
22.2	protobuf (3.0.0)	Needs Triage
22.1	protobuf (3.0.0)	Needs Triage
21.11	protobuf (3.0.0)	Needs Triage
21.8	protobuf (3.0.0)	Needs Triage
21.5.0	protobuf (3.0.0)	Needs Triage
21.2.0	protobuf (3.0.0)	Needs Triage
11.4.19.3667	protobuf (3.0.0)	Needs Triage
11.4.18.3599	protobuf (3.0.0)	Needs Triage
11.4.16.3445	protobuf (3.0.0)	Needs Triage
11.4.15.3368	protobuf (3.0.0)	Needs Triage
11.4.14.3263	protobuf (3.0.0)	Needs Triage
11.4.13.3179	protobuf (3.0.0)	Needs Triage
11.4.12.3054	protobuf (3.0.0)	Needs Triage
11.4.11.3040	protobuf (3.0.0)	Needs Triage
11.4.11.2990	protobuf (3.0.0)	Needs Triage
11.4.10.2934	protobuf (3.0.0)	Needs Triage
11.4.9.2878	protobuf (3.0.0)	Needs Triage
11.4.8.2822	protobuf (3.0.0)	Needs Triage

Severity score breakdown

References

NVD
MITRE