Anthropic — Buffa Rust Library 0-Day: 22x Heap Amplification via Protobuf Unknown Fields

What happened

  • Anthropic's Rust-based protobuf library buffa was found vulnerable to a zero-day denial-of-service flaw tracked as CVE-2026-55407 (GHSA-f9qc-qg88-7pq5).
  • Scored CVSS 4.0/6.3 (Moderate) on paper, but real-world impact scales to High or Critical depending on deployment architecture — any service decoding untrusted protobuf with preserve_unknown_fields enabled (the default) is affected.
  • The flaw was discovered by Endor Labs' AI SAST engine, which flagged a suspicious data flow in the decode_unknown_field function — a length value parsed from untrusted wire data is used to allocate a Vec<u8> without an explicit upper bound.
  • The critical amplification path: a WireType::StartGroup branch loops over nested unknown fields until a matching EndGroup tag. Each nested field can be encoded in just 2 bytes but triggers ~40 bytes of heap allocation plus growth overhead.
  • Endor Labs demonstrated a 64 MiB protobuf payload driving ~1.4 GiB of heap usage — a 22x amplification — killing the process with OOM (exit code 137) inside a 256 MiB Docker container.
  • buffa and connectrpc versions before 0.8.0 are affected. Anthropic released fixes implementing a configurable per-message limit on unknown fields.
  • The case is notable for methodology: an AI-driven SAST engine uncovered a non-trivial, logic-level DoS in a memory-safe Rust library by tracing untrusted data from source to heap allocation sink — not via pattern matching.

Why it matters

buffa is used in Anthropic's infrastructure for protobuf serialization/deserialization. Services that decode untrusted protobuf messages — common in model serving, agent tooling, and inter-service communication — are exposed. The discovery also demonstrates that "memory safe" languages like Rust do not automatically prevent resource-exhaustion vulnerabilities: the allocator is still a sink, and untrusted length fields can still drive unbounded allocation. The 22x amplification factor means input-size caps alone are insufficient.

What to do

  • Update buffa/connectrpc to version 0.8.0 or later.
  • If you cannot upgrade immediately, regenerate protobuf code with preserve_unknown_fields=false to remove the primary sink from the data path.
  • Audit any service that decodes untrusted protobuf for similar patterns — especially model serving infrastructure, MCP servers using protobuf transport, and agent tooling that accepts wire-format input.
  • Consider AI-assisted SAST for your own codebase: traditional pattern-based scanners miss logic-level amplification paths in memory-safe languages.

Sources