CVE-2026-55407: Buffa: protobuf decoder DoS via 22x memory amplification
MEDIUMBuffa, a Rust protobuf decoder used to parse untrusted wire-format messages, fails to cap memory allocation for unknown fields, letting a small crafted payload balloon into massive heap usage — roughly 22x amplification, so a 64 MiB input can force about 1.4 GB of allocation and crash the process. This matters because the flaw requires no authentication and no exotic tooling, just a malformed protobuf message sent to any endpoint that decodes untrusted input with the library's default preserve_unknown_fields=true setting; with 5,901 downstream dependents, exposure could span any AI inference gateway, model-serving proxy, or gRPC-based ML pipeline written in Rust that ingests external protobuf traffic. There is no CISA KEV listing, no EPSS score, and no public exploit or scanner template available yet, so this is not confirmed as actively exploited today, but the low complexity of the attack (a single well-formed nested payload, no auth needed) means weaponization is trivial once the advisory circulates. Patch to buffa 0.8.0 immediately on any service that decodes external protobuf input, and in the interim enforce upstream request-size limits and memory/resource caps (cgroups, container memory limits) on any process using this decoder so a single request cannot exhaust host memory.
What is the risk?
Rated medium severity with no public CVSS vector, but the exploitability profile is high: unauthenticated, remotely triggerable, and requires only a small crafted message (no privileges, no user interaction). The primary risk is availability, not confidentiality or integrity — this is a pure denial-of-service bug (CWE-400/770/789 uncontrolled resource consumption). Actual organizational risk depends heavily on whether affected services expose protobuf decoding directly to untrusted networks (e.g., public gRPC/model-serving APIs) versus only internal, trusted traffic. No KEV listing, no EPSS score, and no known public exploit lower near-term urgency, but the package's own risk profile (score 31/100, 39 other CVEs in the same package) suggests a broader pattern of hardening gaps worth tracking.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Anthropic Python | pip | — | No patch |
Do you use Anthropic Python? You're affected.
How severe is it?
What should I do?
1 step-
Upgrade buffa to version 0.8.0 or later, which enforces an allocation budget that accounts for in-decode amplification. Where immediate upgrade isn't possible, apply defense-in-depth: cap the size of accepted protobuf messages well below any amplification threshold at the network/proxy layer, run decoding processes under strict memory limits (container cgroups, ulimits) so a crash is contained rather than cascading, and monitor for abnormal memory spikes or repeated process restarts correlated with inbound protobuf traffic. If feasible, disable preserve_unknown_fields for code paths that don't need to round-trip unknown fields, reducing the attack surface entirely.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-55407?
Buffa, a Rust protobuf decoder used to parse untrusted wire-format messages, fails to cap memory allocation for unknown fields, letting a small crafted payload balloon into massive heap usage — roughly 22x amplification, so a 64 MiB input can force about 1.4 GB of allocation and crash the process. This matters because the flaw requires no authentication and no exotic tooling, just a malformed protobuf message sent to any endpoint that decodes untrusted input with the library's default preserve_unknown_fields=true setting; with 5,901 downstream dependents, exposure could span any AI inference gateway, model-serving proxy, or gRPC-based ML pipeline written in Rust that ingests external protobuf traffic. There is no CISA KEV listing, no EPSS score, and no public exploit or scanner template available yet, so this is not confirmed as actively exploited today, but the low complexity of the attack (a single well-formed nested payload, no auth needed) means weaponization is trivial once the advisory circulates. Patch to buffa 0.8.0 immediately on any service that decodes external protobuf input, and in the interim enforce upstream request-size limits and memory/resource caps (cgroups, container memory limits) on any process using this decoder so a single request cannot exhaust host memory.
Is CVE-2026-55407 actively exploited?
No confirmed active exploitation of CVE-2026-55407 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55407?
Upgrade buffa to version 0.8.0 or later, which enforces an allocation budget that accounts for in-decode amplification. Where immediate upgrade isn't possible, apply defense-in-depth: cap the size of accepted protobuf messages well below any amplification threshold at the network/proxy layer, run decoding processes under strict memory limits (container cgroups, ulimits) so a crash is contained rather than cascading, and monitor for abnormal memory spikes or repeated process restarts correlated with inbound protobuf traffic. If feasible, disable preserve_unknown_fields for code paths that don't need to round-trip unknown fields, reducing the attack surface entirely.
What systems are affected by CVE-2026-55407?
This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines.
What is the CVSS score for CVE-2026-55407?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034.001 Resource-Intensive Queries Compliance Controls Affected
What are the technical details?
Original Advisory
Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserve_unknown_fields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.
Exploitation Scenario
An attacker identifies a Rust-based AI inference gateway or model-serving proxy that accepts protobuf-encoded requests from the internet or from a semi-trusted internal network. They craft a compact payload containing deeply nested unknown fields inside a StartGroup structure, sized to pass any top-level message size cap while amplifying roughly 22x in decoded memory. They send this payload repeatedly to the exposed endpoint; each request forces the decoder to allocate memory disproportionate to the wire size, rapidly exhausting available heap and crashing the service — disrupting the AI inference pipeline or agent tool endpoint without needing any credentials or prior reconnaissance beyond identifying that the target uses buffa.
Weaknesses (CWE)
CWE-400 Uncontrolled Resource Consumption CWE-770 Allocation of Resources Without Limits or Throttling CWE-789 Memory Allocation with Excessive Size Value CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.
- [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
- [Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Source: MITRE CWE corpus.
References
- github.com/anthropics/buffa/commit/278fa43fcff661d4ee6bd83b75955a153d4281fc x_refsource_MISC
- github.com/anthropics/buffa/pull/184 x_refsource_MISC
- github.com/anthropics/buffa/releases/tag/v0.8.0 x_refsource_MISC
- github.com/anthropics/buffa/security/advisories/GHSA-f9qc-qg88-7pq5 x_refsource_CONFIRM
Timeline
Related Vulnerabilities
CVE-2026-54449 8.8 LangBot: RCE via arbitrary STDIO MCP command
Same package: anthropic CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: anthropic CVE-2026-55429 8.7 Coder: cross-workspace agent hijack via app ID reuse
Same package: anthropic CVE-2026-55427 8.3 Coder: SSH config injection via config-ssh enables RCE
Same package: anthropic CVE-2026-55428 8.2 Coder: agent IP spoofing hijacks workspace traffic
Same package: anthropic