CVE-2026-55406: buffa: use-after-free in Rust protobuf OwnedView type
MEDIUMbuffa, a pure-Rust Protocol Buffers library, shipped a soundness bug where its OwnedView type let ordinary safe Rust code end up holding references to freed memory once the view was dropped, producing a classic use-after-free with no `unsafe` blocks involved. There is no CVSS score, no EPSS data, it is not in CISA KEV, and no public exploit or Nuclei template exists yet, so active exploitation is unlikely today — but the library has 5,901 downstream dependents and 39 other CVEs on record, indicating meaningful reach and a track record of quality issues. Any Rust-based service that decodes attacker-influenced protobuf input with buffa — including gRPC-based model-serving and inference gateways — inherits the risk of memory corruption or leaked heap contents (CWE-416, CWE-200) if it retains views beyond the point the library frees them. Upgrade to buffa 0.7.0 or later immediately; there is no safe workaround short of removing reliance on OwnedView-derived references across their intended lifetime. Prioritize this in any AI inference or agent-tooling stack that uses buffa for protobuf decoding, even though today's exploitation likelihood is low.
What is the risk?
Rated medium with no CVSS vector, no EPSS score, absence from CISA KEV, and no known public exploit or scanner template — current real-world exploitation likelihood is low. However, the underlying flaw is a genuine memory-safety defect (use-after-free) reachable from ordinary safe Rust code, which is more severe than a typical logic bug because it can yield both information disclosure of freed heap contents and potential memory corruption. The package's reach (5,901 downstream dependents) and history (39 prior CVEs, package risk score 31/100) suggest broader exposure and possible latent quality issues in the crate. Risk should be treated as moderate-to-elevated for any service parsing untrusted protobuf input with buffa, pending patch adoption.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Anthropic Python | pip | — | No patch |
Do you use Anthropic Python? You're affected.
How severe is it?
What should I do?
1 step-
Upgrade buffa to version 0.7.0 or later immediately, which fixes the OwnedView lifetime-transmute bug per GHSA-9pwq-gcrx-wghh and the linked fix commit. Audit application code for any place where a borrowed &'static str or &'static [u8] obtained from an OwnedView is stored, cached, or passed across threads/beyond the OwnedView's own scope — this pattern is the trigger condition and should be re-reviewed even post-patch for correctness. Run
cargo audit/ dependency scanning in CI to catch buffa <0.7.0 in the build graph, including transitive dependencies. Detection is difficult at runtime (this manifests as memory corruption, not a distinguishable signature); consider running affected services with AddressSanitizer/Miri in test environments to catch latent use-after-free patterns before production deployment.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-55406?
buffa, a pure-Rust Protocol Buffers library, shipped a soundness bug where its OwnedView type let ordinary safe Rust code end up holding references to freed memory once the view was dropped, producing a classic use-after-free with no `unsafe` blocks involved. There is no CVSS score, no EPSS data, it is not in CISA KEV, and no public exploit or Nuclei template exists yet, so active exploitation is unlikely today — but the library has 5,901 downstream dependents and 39 other CVEs on record, indicating meaningful reach and a track record of quality issues. Any Rust-based service that decodes attacker-influenced protobuf input with buffa — including gRPC-based model-serving and inference gateways — inherits the risk of memory corruption or leaked heap contents (CWE-416, CWE-200) if it retains views beyond the point the library frees them. Upgrade to buffa 0.7.0 or later immediately; there is no safe workaround short of removing reliance on OwnedView-derived references across their intended lifetime. Prioritize this in any AI inference or agent-tooling stack that uses buffa for protobuf decoding, even though today's exploitation likelihood is low.
Is CVE-2026-55406 actively exploited?
No confirmed active exploitation of CVE-2026-55406 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55406?
Upgrade buffa to version 0.7.0 or later immediately, which fixes the OwnedView lifetime-transmute bug per GHSA-9pwq-gcrx-wghh and the linked fix commit. Audit application code for any place where a borrowed &'static str or &'static [u8] obtained from an OwnedView is stored, cached, or passed across threads/beyond the OwnedView's own scope — this pattern is the trigger condition and should be re-reviewed even post-patch for correctness. Run `cargo audit` / dependency scanning in CI to catch buffa <0.7.0 in the build graph, including transitive dependencies. Detection is difficult at runtime (this manifests as memory corruption, not a distinguishable signature); consider running affected services with AddressSanitizer/Miri in test environments to catch latent use-after-free patterns before production deployment.
What systems are affected by CVE-2026-55406?
This vulnerability affects the following AI/ML architecture patterns: model serving (gRPC/protobuf-based inference), agent frameworks (protobuf-based tool invocation), observability/telemetry pipelines using protobuf.
What is the CVSS score for CVE-2026-55406?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means Compliance Controls Affected
What are the technical details?
Original Advisory
Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static [u8], and the Deref implementation exposed the promoted 'static lifetime on borrowed view fields (such as &'static str and &'static [u8]) to callers, so the borrow checker permitted those references to outlive the OwnedView; once the OwnedView was dropped and its backing buffer freed, the references became dangling, enabling memory corruption, information disclosure of freed heap contents, and cross-thread misuse without any unsafe code in the calling application. This issue is fixed in version 0.7.0.
Exploitation Scenario
An adversary with the ability to send protobuf-encoded input to a Rust-based service using buffa (e.g., a gRPC endpoint on a model-serving or inference gateway, or an agent framework's tool-call protocol) crafts a message that gets decoded into an OwnedView. If the receiving application's code retains a reference to a decoded string or byte field beyond the OwnedView's lifetime (a pattern the compiler incorrectly permits due to the promoted 'static lifetime), the backing buffer is freed while the application still holds and later dereferences that reference. Depending on subsequent heap allocations, this can leak fragments of other in-flight requests' data (e.g., another user's prompt or an internal credential sitting in nearby freed memory) or corrupt process state, potentially destabilizing the service. Exploitation requires the target application to exhibit the vulnerable retention pattern; it is not a trivial single-request remote exploit against any buffa-based service by default.
Weaknesses (CWE)
CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
References
- github.com/anthropics/buffa/commit/7dcf50a1a40eca6ed8d6c6dd59f4310aa0d68b0e x_refsource_MISC
- github.com/anthropics/buffa/pull/154 x_refsource_MISC
- github.com/anthropics/buffa/releases/tag/v0.7.0 x_refsource_MISC
- github.com/anthropics/buffa/security/advisories/GHSA-9pwq-gcrx-wghh x_refsource_CONFIRM
Timeline
Related Vulnerabilities
CVE-2026-54449 8.8 LangBot: RCE via arbitrary STDIO MCP command
Same package: anthropic CVE-2026-55429 8.7 Coder: cross-workspace agent hijack via app ID reuse
Same package: anthropic CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: anthropic CVE-2026-55427 8.3 Coder: SSH config injection via config-ssh enables RCE
Same package: anthropic CVE-2026-55428 8.2 Coder: agent IP spoofing hijacks workspace traffic
Same package: anthropic