CVE-2026-55406: buffa: use-after-free in Rust protobuf OwnedView type

MEDIUM
Published July 16, 2026
CISO Take

buffa, a pure-Rust Protocol Buffers library, shipped a soundness bug where its OwnedView type let ordinary safe Rust code end up holding references to freed memory once the view was dropped, producing a classic use-after-free with no `unsafe` blocks involved. There is no CVSS score, no EPSS data, it is not in CISA KEV, and no public exploit or Nuclei template exists yet, so active exploitation is unlikely today — but the library has 5,901 downstream dependents and 39 other CVEs on record, indicating meaningful reach and a track record of quality issues. Any Rust-based service that decodes attacker-influenced protobuf input with buffa — including gRPC-based model-serving and inference gateways — inherits the risk of memory corruption or leaked heap contents (CWE-416, CWE-200) if it retains views beyond the point the library frees them. Upgrade to buffa 0.7.0 or later immediately; there is no safe workaround short of removing reliance on OwnedView-derived references across their intended lifetime. Prioritize this in any AI inference or agent-tooling stack that uses buffa for protobuf decoding, even though today's exploitation likelihood is low.

Sources: NVD GitHub Advisory CISA KEV ATLAS

What is the risk?

Rated medium with no CVSS vector, no EPSS score, absence from CISA KEV, and no known public exploit or scanner template — current real-world exploitation likelihood is low. However, the underlying flaw is a genuine memory-safety defect (use-after-free) reachable from ordinary safe Rust code, which is more severe than a typical logic bug because it can yield both information disclosure of freed heap contents and potential memory corruption. The package's reach (5,901 downstream dependents) and history (39 prior CVEs, package risk score 31/100) suggest broader exposure and possible latent quality issues in the crate. Risk should be treated as moderate-to-elevated for any service parsing untrusted protobuf input with buffa, pending patch adoption.

How does the attack unfold?

Crafted input delivery
Adversary sends a crafted protobuf message to a Rust-based service (e.g., a gRPC inference or agent-tool endpoint) that decodes input using buffa's OwnedView type.
AML.T0049
Unsound reference retention
Application code stores or forwards a borrowed &'static str/[u8] reference derived from the OwnedView beyond its intended scope, a pattern the compiler wrongly permits.
Use-after-free trigger
The OwnedView is dropped and its backing buffer freed while stale references remain live, causing subsequent access to dangling memory.
Information disclosure or corruption
The freed memory is read or overwritten, potentially leaking adjacent heap data from other requests or corrupting process state.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Anthropic Python pip No patch
3.7K 5.9K dependents Pushed 6d ago 88% patched ~10d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Advanced

What should I do?

1 step
  1. Upgrade buffa to version 0.7.0 or later immediately, which fixes the OwnedView lifetime-transmute bug per GHSA-9pwq-gcrx-wghh and the linked fix commit. Audit application code for any place where a borrowed &'static str or &'static [u8] obtained from an OwnedView is stored, cached, or passed across threads/beyond the OwnedView's own scope — this pattern is the trigger condition and should be re-reviewed even post-patch for correctness. Run cargo audit / dependency scanning in CI to catch buffa <0.7.0 in the build graph, including transitive dependencies. Detection is difficult at runtime (this manifests as memory corruption, not a distinguishable signature); consider running affected services with AddressSanitizer/Miri in test environments to catch latent use-after-free patterns before production deployment.

How is it classified?

Data Leakage Code Execution Inference API AML.T0025

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
Annex A.6.2 - AI system security in design and development
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-55406?

buffa, a pure-Rust Protocol Buffers library, shipped a soundness bug where its OwnedView type let ordinary safe Rust code end up holding references to freed memory once the view was dropped, producing a classic use-after-free with no `unsafe` blocks involved. There is no CVSS score, no EPSS data, it is not in CISA KEV, and no public exploit or Nuclei template exists yet, so active exploitation is unlikely today — but the library has 5,901 downstream dependents and 39 other CVEs on record, indicating meaningful reach and a track record of quality issues. Any Rust-based service that decodes attacker-influenced protobuf input with buffa — including gRPC-based model-serving and inference gateways — inherits the risk of memory corruption or leaked heap contents (CWE-416, CWE-200) if it retains views beyond the point the library frees them. Upgrade to buffa 0.7.0 or later immediately; there is no safe workaround short of removing reliance on OwnedView-derived references across their intended lifetime. Prioritize this in any AI inference or agent-tooling stack that uses buffa for protobuf decoding, even though today's exploitation likelihood is low.

Is CVE-2026-55406 actively exploited?

No confirmed active exploitation of CVE-2026-55406 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55406?

Upgrade buffa to version 0.7.0 or later immediately, which fixes the OwnedView lifetime-transmute bug per GHSA-9pwq-gcrx-wghh and the linked fix commit. Audit application code for any place where a borrowed &'static str or &'static [u8] obtained from an OwnedView is stored, cached, or passed across threads/beyond the OwnedView's own scope — this pattern is the trigger condition and should be re-reviewed even post-patch for correctness. Run `cargo audit` / dependency scanning in CI to catch buffa <0.7.0 in the build graph, including transitive dependencies. Detection is difficult at runtime (this manifests as memory corruption, not a distinguishable signature); consider running affected services with AddressSanitizer/Miri in test environments to catch latent use-after-free patterns before production deployment.

What systems are affected by CVE-2026-55406?

This vulnerability affects the following AI/ML architecture patterns: model serving (gRPC/protobuf-based inference), agent frameworks (protobuf-based tool invocation), observability/telemetry pipelines using protobuf.

What is the CVSS score for CVE-2026-55406?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model serving (gRPC/protobuf-based inference)agent frameworks (protobuf-based tool invocation)observability/telemetry pipelines using protobuf

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: Annex A.6.2
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static [u8], and the Deref implementation exposed the promoted 'static lifetime on borrowed view fields (such as &'static str and &'static [u8]) to callers, so the borrow checker permitted those references to outlive the OwnedView; once the OwnedView was dropped and its backing buffer freed, the references became dangling, enabling memory corruption, information disclosure of freed heap contents, and cross-thread misuse without any unsafe code in the calling application. This issue is fixed in version 0.7.0.

Exploitation Scenario

An adversary with the ability to send protobuf-encoded input to a Rust-based service using buffa (e.g., a gRPC endpoint on a model-serving or inference gateway, or an agent framework's tool-call protocol) crafts a message that gets decoded into an OwnedView. If the receiving application's code retains a reference to a decoded string or byte field beyond the OwnedView's lifetime (a pattern the compiler incorrectly permits due to the promoted 'static lifetime), the backing buffer is freed while the application still holds and later dereferences that reference. Depending on subsequent heap allocations, this can leak fragments of other in-flight requests' data (e.g., another user's prompt or an internal credential sitting in nearby freed memory) or corrupt process state, potentially destabilizing the service. Exploitation requires the target application to exhibit the vulnerable retention pattern; it is not a trivial single-request remote exploit against any buffa-based service by default.

Weaknesses (CWE)

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

Timeline

Published
July 16, 2026
Last Modified
July 16, 2026
First Seen
July 16, 2026

Related Vulnerabilities