Home ยป Database

AVID-2026-R0937

Description

Out of Memory issue in ProtocolBuffers for cpp and python (CVE-2022-1941)

Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Reason for inclusion in AVID: CVE-2022-1941 describes an out-of-memory denial-of-service vulnerability in protobuf-cpp and protobuf-python parsing, affecting widely used protobuf libraries. These libraries are dependencies in software stacks used to build, train, deploy, and run general-purpose AI systems, making this a software supply chain issue within AI pipelines. The vulnerability is security-related (DoS via crafted input) and the report provides explicit affected versions and remediation, with multiple references confirming the details.

References

Affected or Relevant Artifacts

  • Developer: Google LLC
  • Deployer: Google LLC
  • Artifact Details:
TypeName
Systemprotobuf-cpp
Systemprotobuf-python

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CWE

IDDescription
CWE-1286CWE-1286: Improper Validation of Syntactic Correctness of Input

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2022-09-22
  • Version: 0.3.3
  • AVID Entry