CVE-2024-7254

Publication date 19 September 2024

Last updated 14 April 2025

Ubuntu priority

Medium

Why this priority?

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Read the notes from the security team

Status

Package Ubuntu Release Status
protobuf 24.10 oracular
Fixed 3.21.12-9ubuntu1.1
24.04 LTS noble
Fixed 3.21.12-8.2ubuntu0.1
22.04 LTS jammy
Fixed 3.12.4-1ubuntu7.22.04.2
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty
Needs evaluation

Notes

hlibk

The CVE page does not reference the correct commit.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
protobuf

References

Related Ubuntu Security Notices (USN)

    • USN-7435-1
    • Protocol Buffers vulnerability
    • 14 April 2025

Other references