Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Vulnerabilities/Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
Vulnerabilities

Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic

Key Takeaways A zero-day denial-of-service (DoS) vulnerability (CVE-2026-55407) has been discovered in Anthropic’s Rust-based protobuf implementation, Buffa. The flaw allows attackers to...

Marcus Rodriguez
Marcus Rodriguez
July 1, 2026 4 Min Read
3 0

Key Takeaways

  • A zero-day denial-of-service (DoS) vulnerability (CVE-2026-55407) has been discovered in Anthropic’s Rust-based protobuf implementation, Buffa.
  • The flaw allows attackers to trigger unbounded heap allocation through specially crafted input, leading to out-of-memory conditions.
  • The vulnerability impacts Buffa and connectrpc versions prior to 0.8.0, with a CVSS 4.0 score of 6.3 (Moderate), but real-world severity can escalate to High or Critical.
  • Anthropic has released fixes in Buffa and connectrpc version 0.8.0, and a secondary mitigation involves disabling the preservation of unknown fields.

Anthropic’s Buffa Rust Library Suffers Critical 0-Day DoS Vulnerability

Anthropic’s Buffa, a Rust-based implementation for handling protobuf messages, has been identified with a zero-day denial-of-service (DoS) vulnerability. The critical flaw stems from an uncontrolled heap allocation mechanism when processing attacker-controlled input, potentially leading to system instability or crashes.

Table Of Content

  • Key Takeaways
  • Anthropic’s Buffa Rust Library Suffers Critical 0-Day DoS Vulnerability
  • Discovery and Technical Details
  • Mitigation and Broader Implications
  • What You Should Do
  • Download Free Microsoft Vulnerabilities Report 2026 – A The latest Microsoft Vulnerabilities data, analyzed.

Designated as CVE-2026-55407 and GHSA-f9qc-qg88-7pq5, this vulnerability affects all versions of Buffa and connectrpc preceding 0.8.0. While initially rated as Moderate with a CVSS 4.0 score of 6.3, experts caution that its actual impact could be significantly higher, reaching High or Critical severity depending on the specific deployment environment and architecture.

Discovery and Technical Details

The vulnerability’s discovery originated from an analysis conducted by Endor Labs’ AI SAST engine, which flagged a suspicious data flow within Buffa’s unknown-field decoder during a routine codebase examination.

The core of the issue lies within the decode_unknown_field function. Here, a length value is extracted directly from untrusted protobuf wire data and subsequently converted into a usize. This value is then used to allocate a Vec<u8> without any explicit upper boundary beyond the fundamental type limits. Although a safeguard exists to ensure the buffer contains sufficient bytes, preventing out-of-bounds reads, it crucially fails to constrain the allocation size itself. This oversight creates an avenue for attackers to force substantial heap allocations by providing oversized length-delimited fields.

Initial assessments indicated an approximate 2x amplification ratio between input size and heap usage, a considerable but often manageable factor when strict input caps are in place. However, further investigation into the handling of WireType::StartGroup within the same function unveiled a far more dangerous amplification vector.

In this particular branch, the decoder iteratively processes nested unknown fields until it encounters a corresponding EndGroup tag. Each decoded field is then appended to an UnknownFields structure, which is backed by a Vec. Critically, the most economical nested field on the wire can be encoded using merely two bytes. Yet, each such field can trigger an approximate 40-byte heap allocation, compounded by growth overhead. This disparity allows a meticulously crafted group to inflate a relatively small input into an enormous in-memory structure.

Endor Labs’ proof-of-concept demonstrated the severity of this amplification. A protobuf payload of 64 MiB, containing millions of minimal varint fields embedded within a single unknown group, could escalate heap usage to approximately 1.4 GiB—an astounding 22 times the original input size. When this malicious message was decoded within a Docker container configured with a 256 MiB memory limit, the process was terminated with exit code 137, unequivocally confirming an out-of-memory DoS condition.

The vulnerable code path is directly accessible through Buffa’s default decoding APIs, including Message::decode and decode_from_slice. This means any service that processes untrusted protobuf messages with preserve_unknown_fields enabled (which is the default configuration) is potentially exposed to this vulnerability.

Mitigation and Broader Implications

Anthropic has promptly addressed the vulnerability, releasing fixes in Buffa and connectrpc version 0.8.0. These updates introduce a configurable per-message limit on unknown fields, effectively capping the maximum allocation overhead to manageable levels, typically tens of megabytes, even when confronted with hostile input.

For organizations unable to immediately upgrade, a temporary mitigation involves regenerating code with preserve_unknown_fields=false. This action disables the retention of unknown fields, thereby removing the primary data sink responsible for triggering the vulnerability.

This discovery underscores a critical lesson: relying solely on input-size caps is insufficient to prevent DoS attacks, as complex amplification pathways, like the group amplification identified here, can transform a seemingly safe message size into a process-fatal allocation. The case also highlights the evolving role of AI-driven SAST engines in uncovering sophisticated, logic-level DoS vulnerabilities in memory-safe languages like Rust by effectively tracing untrusted data flows from their source to the heap allocation sink, moving beyond conventional pattern-based checks.

The coordinated disclosure between Endor Labs and Anthropic emphasizes the ongoing necessity for advanced data-flow-aware analysis, even within “safe” programming languages, particularly for high-assurance components integral to cutting-edge AI systems.

What You Should Do

  • Upgrade Immediately: Update your Buffa and connectrpc dependencies to version 0.8.0 or later to apply the official patches.
  • Implement Temporary Mitigation: If immediate upgrade is not feasible, regenerate your code with preserve_unknown_fields=false to disable the retention of unknown fields, thereby mitigating the primary attack vector.
  • Review Input Validation: While not a complete fix, strengthen input validation mechanisms to limit the size and complexity of untrusted protobuf messages processed by your applications.
  • Monitor for OOM Events: Implement robust monitoring for out-of-memory (OOM) events in services that decode protobuf messages, especially those exposed to external input.

Download Free Microsoft Vulnerabilities Report 2026
– A The latest Microsoft Vulnerabilities data, analyzed.


Download Now

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchVulnerabilityzero-day

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow

Next Post

Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us