EXECUTIVE SUMMARY:
CVE-2026-45799 with a CVSS score of 7.5 is a vulnerability in the Wire-decoding service that allows a crafted protobuf payload to crash the service. The affected products are maven/com.squareup.wire:wire-runtime-jvm, specifically versions <= 5.3.3, and maven/com.squareup.wire:wire-runtime, affected versions are <= 6.2.0, and >= 7.0.0-alpha01, <= 7.0.0-alpha02. The vulnerability arises from the missing negative-length check in the Wire's protobuf group-skipping logic, which allows a crafted protobuf varint to encode a negative length. This can cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException/ProtocolException failure path, leading to service crashes. An attacker can exploit this vulnerability by sending a crafted protobuf payload to the affected Wire-decoding service, resulting in a denial-of-service capability. The business impact of this vulnerability is significant, as it can lead to service crashes and potentially cause data loss or corruption. To exploit this vulnerability, an attacker requires access to the Wire-decoding service and the ability to send a crafted protobuf payload.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45799 with a CVSS score of 7.5 is a vulnerability in the Wire-decoding service that allows a crafted protobuf payload to crash the service. The affected products are maven/com.squareup.wire:wire-runtime-jvm, specifically versions <= 5.3.3, and maven/com.squareup.wire:wire-runtime, affected versions are <= 6.2.0, and >= 7.0.0-alpha01, <= 7.0.0-alpha02. The vulnerability arises from the missing negative-length check in the Wire's protobuf group-skipping logic, which allows a crafted protobuf varint to encode a negative length. This can cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException/ProtocolException failure path, leading to service crashes. An attacker can exploit this vulnerability by sending a crafted protobuf payload to the affected Wire-decoding service, resulting in a denial-of-service capability. The business impact of this vulnerability is significant, as it can lead to service crashes and potentially cause data loss or corruption. To exploit this vulnerability, an attacker requires access to the Wire-decoding service and the ability to send a crafted protobuf payload.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-7xpr-hc2w-34m9