CVE-2026-55407: Buffa: protobuf decoder DoS via 22x memory amplification

MEDIUM
Published July 16, 2026
CISO Take

Buffa, a Rust protobuf decoder used to parse untrusted wire-format messages, fails to cap memory allocation for unknown fields, letting a small crafted payload balloon into massive heap usage — roughly 22x amplification, so a 64 MiB input can force about 1.4 GB of allocation and crash the process. This matters because the flaw requires no authentication and no exotic tooling, just a malformed protobuf message sent to any endpoint that decodes untrusted input with the library's default preserve_unknown_fields=true setting; with 5,901 downstream dependents, exposure could span any AI inference gateway, model-serving proxy, or gRPC-based ML pipeline written in Rust that ingests external protobuf traffic. There is no CISA KEV listing, no EPSS score, and no public exploit or scanner template available yet, so this is not confirmed as actively exploited today, but the low complexity of the attack (a single well-formed nested payload, no auth needed) means weaponization is trivial once the advisory circulates. Patch to buffa 0.8.0 immediately on any service that decodes external protobuf input, and in the interim enforce upstream request-size limits and memory/resource caps (cgroups, container memory limits) on any process using this decoder so a single request cannot exhaust host memory.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Rated medium severity with no public CVSS vector, but the exploitability profile is high: unauthenticated, remotely triggerable, and requires only a small crafted message (no privileges, no user interaction). The primary risk is availability, not confidentiality or integrity — this is a pure denial-of-service bug (CWE-400/770/789 uncontrolled resource consumption). Actual organizational risk depends heavily on whether affected services expose protobuf decoding directly to untrusted networks (e.g., public gRPC/model-serving APIs) versus only internal, trusted traffic. No KEV listing, no EPSS score, and no known public exploit lower near-term urgency, but the package's own risk profile (score 31/100, 39 other CVEs in the same package) suggests a broader pattern of hardening gaps worth tracking.

How does the attack unfold?

Initial Access
Attacker sends an unauthenticated protobuf-encoded request to a network-facing service that decodes messages using buffa with preserve_unknown_fields enabled.
AML.T0049
Exploitation
The payload embeds deeply nested unknown fields inside a StartGroup and oversized length-delimited fields, triggering roughly 22x memory amplification during decode.
AML.T0034.001
Impact
Heap allocation spikes (e.g., ~1.4 GB from a 64 MiB input) exhaust process memory, crashing the AI inference or agent-serving component and causing a service outage.
AML.T0029

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Anthropic Python pip No patch
3.7K 5.9K dependents Pushed 6d ago 88% patched ~10d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

1 step
  1. Upgrade buffa to version 0.8.0 or later, which enforces an allocation budget that accounts for in-decode amplification. Where immediate upgrade isn't possible, apply defense-in-depth: cap the size of accepted protobuf messages well below any amplification threshold at the network/proxy layer, run decoding processes under strict memory limits (container cgroups, ulimits) so a crash is contained rather than cascading, and monitor for abnormal memory spikes or repeated process restarts correlated with inbound protobuf traffic. If feasible, disable preserve_unknown_fields for code paths that don't need to round-trip unknown fields, reducing the attack surface entirely.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
NIST AI RMF
MEASURE 2.7 - AI system security and resilience is evaluated and documented
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-55407?

Buffa, a Rust protobuf decoder used to parse untrusted wire-format messages, fails to cap memory allocation for unknown fields, letting a small crafted payload balloon into massive heap usage — roughly 22x amplification, so a 64 MiB input can force about 1.4 GB of allocation and crash the process. This matters because the flaw requires no authentication and no exotic tooling, just a malformed protobuf message sent to any endpoint that decodes untrusted input with the library's default preserve_unknown_fields=true setting; with 5,901 downstream dependents, exposure could span any AI inference gateway, model-serving proxy, or gRPC-based ML pipeline written in Rust that ingests external protobuf traffic. There is no CISA KEV listing, no EPSS score, and no public exploit or scanner template available yet, so this is not confirmed as actively exploited today, but the low complexity of the attack (a single well-formed nested payload, no auth needed) means weaponization is trivial once the advisory circulates. Patch to buffa 0.8.0 immediately on any service that decodes external protobuf input, and in the interim enforce upstream request-size limits and memory/resource caps (cgroups, container memory limits) on any process using this decoder so a single request cannot exhaust host memory.

Is CVE-2026-55407 actively exploited?

No confirmed active exploitation of CVE-2026-55407 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55407?

Upgrade buffa to version 0.8.0 or later, which enforces an allocation budget that accounts for in-decode amplification. Where immediate upgrade isn't possible, apply defense-in-depth: cap the size of accepted protobuf messages well below any amplification threshold at the network/proxy layer, run decoding processes under strict memory limits (container cgroups, ulimits) so a crash is contained rather than cascading, and monitor for abnormal memory spikes or repeated process restarts correlated with inbound protobuf traffic. If feasible, disable preserve_unknown_fields for code paths that don't need to round-trip unknown fields, reducing the attack surface entirely.

What systems are affected by CVE-2026-55407?

This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2026-55407?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingagent frameworksRAG pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034.001 Resource-Intensive Queries

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input (unknown fields in the serialized protobuf) without enforcing an allocation budget, affecting any message decoded from untrusted input using code generated with preserve_unknown_fields=true (the default); a small, well-formed payload of nested unknown fields inside a StartGroup could trigger roughly 22x memory amplification (for example a 64 MiB input forcing about 1.4 GB of heap allocation), and length-delimited unknown fields could be sized arbitrarily, so an unauthenticated attacker could crash a process through memory exhaustion because the top-level message size cap did not account for in-decode amplification. This issue is fixed in version 0.8.0.

Exploitation Scenario

An attacker identifies a Rust-based AI inference gateway or model-serving proxy that accepts protobuf-encoded requests from the internet or from a semi-trusted internal network. They craft a compact payload containing deeply nested unknown fields inside a StartGroup structure, sized to pass any top-level message size cap while amplifying roughly 22x in decoded memory. They send this payload repeatedly to the exposed endpoint; each request forces the decoder to allocate memory disproportionate to the wire size, rapidly exhausting available heap and crashing the service — disrupting the AI inference pipeline or agent tool endpoint without needing any credentials or prior reconnaissance beyond identifying that the target uses buffa.

Weaknesses (CWE)

CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.

  • [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
  • [Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.

Source: MITRE CWE corpus.

Timeline

Published
July 16, 2026
Last Modified
July 16, 2026
First Seen
July 16, 2026

Related Vulnerabilities