{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45799/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["wire-runtime","wire-runtime-jvm"],"_cs_severities":["medium"],"_cs_tags":["protobuf","denial-of-service","CVE-2026-45799","wire"],"_cs_type":"advisory","_cs_vendors":["Square"],"content_html":"\u003cp\u003eA vulnerability exists in Square\u0026rsquo;s Wire protobuf library where the group-skipping logic does not reject negative lengths before skipping a length-delimited field inside a group. This issue, identified as CVE-2026-45799, allows an attacker to craft a malicious protobuf payload that causes Wire to throw an unchecked runtime exception (ArrayIndexOutOfBoundsException) during decoding, instead of the expected IOException. This can crash services that decode untrusted protobuf payloads while only handling Wire\u0026rsquo;s documented checked decoding failures. The vulnerability affects \u003ccode\u003ewire-runtime\u003c/code\u003e versions before 6.3.0, \u003ccode\u003ewire-runtime-jvm\u003c/code\u003e legacy releases including 5.3.1 and 5.3.3, and Wire 7 alpha releases prior to the fix being merged. The fix is implemented in Wire version 6.3.0, released by Square.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a protobuf payload with a START_GROUP field (wire type 3) containing a LENGTH_DELIMITED field inside the group.\u003c/li\u003e\n\u003cli\u003eThe LENGTH_DELIMITED field is assigned a negative length value (e.g., -128) by encoding it as a signed Int varint (e.g., \u003ccode\u003e0x80 0xFF 0xFF 0xFF 0x0F\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eByteArrayProtoReader32.skipGroup()\u003c/code\u003e or \u003ccode\u003eProtoReader.skipGroup()\u003c/code\u003e function in Wire is called to skip the unknown group.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einternalReadVarint32()\u003c/code\u003e function reads the length as a signed Int but does not validate if it\u0026rsquo;s non-negative.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eskip(length)\u003c/code\u003e function is then called without a check for a negative length, leading to \u003ccode\u003epos + byteCount\u003c/code\u003e being negative.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epos\u003c/code\u003e counter in the \u003ccode\u003eByteArrayProtoReader32\u003c/code\u003e underflows to an invalid negative position (e.g., -121).\u003c/li\u003e\n\u003cli\u003eThe next \u003ccode\u003ereadByte()\u003c/code\u003e call attempts to access the source array with the negative position, resulting in an \u003ccode\u003eArrayIndexOutOfBoundsException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis exception is a \u003ccode\u003eRuntimeException\u003c/code\u003e that escapes Wire\u0026rsquo;s documented \u003ccode\u003eIOException\u003c/code\u003e boundary, potentially crashing the service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability can lead to a denial-of-service (DoS) condition in services that decode untrusted protobuf payloads using vulnerable versions of the Wire library. Attackers can send specially crafted payloads to crash affected services. This can impact availability and potentially disrupt business operations. Legacy versions using \u003ccode\u003ecom.squareup.wire:wire-runtime-jvm\u003c/code\u003e including \u003ccode\u003e5.3.1\u003c/code\u003e and \u003ccode\u003e5.3.3\u003c/code\u003e are vulnerable and will not receive patches. Services using vulnerable versions of \u003ccode\u003ecom.squareup.wire:wire-runtime\u003c/code\u003e prior to \u003ccode\u003e6.3.0\u003c/code\u003e, or affected alpha releases of Wire 7, are also at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ecom.squareup.wire:wire-runtime:6.3.0\u003c/code\u003e or later to address CVE-2026-45799.\u003c/li\u003e\n\u003cli\u003eMigrate from the discontinued \u003ccode\u003ecom.squareup.wire:wire-runtime-jvm\u003c/code\u003e artifact to \u003ccode\u003ecom.squareup.wire:wire-runtime:6.3.0\u003c/code\u003e or later.\u003c/li\u003e\n\u003cli\u003eUntil the next Wire 7 alpha release is available, avoid decoding untrusted protobuf payloads with affected alpha versions or build from a commit containing the fix.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Wire Protobuf Negative Length Exploitation Attempt\u0026rdquo; Sigma rule to identify attempts to exploit CVE-2026-45799.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:55:35Z","date_published":"2026-05-19T19:55:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wire-negative-length-protobuf/","summary":"A vulnerability in Wire's protobuf group-skipping logic allows a crafted payload with a negative length to cause a runtime exception and potentially crash services decoding untrusted protobuf, addressed in version 6.3.0.","title":"Wire Protobuf Negative Length Vulnerability (CVE-2026-45799)","url":"https://feed.craftedsignal.io/briefs/2026-05-wire-negative-length-protobuf/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-45799","version":"https://jsonfeed.org/version/1.1"}