vulnerability

Ubuntu: (Multiple Advisories) (CVE-2024-7254): Protocol Buffers vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Sep 19, 2024	Apr 15, 2025	Mar 27, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Sep 19, 2024

Added

Apr 15, 2025

Modified

Mar 27, 2026

Description

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Solutions

ubuntu-upgrade-libprotobuf-javaubuntu-upgrade-python3-protobuf

References

CVE-2024-7254
https://attackerkb.com/topics/CVE-2024-7254
CWE-400
CWE-674
CWE-787
EUVD-EUVD-2024-2741
UBUNTU-USN-7435-1
UBUNTU-USN-7629-1
https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-2741

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report