Anthropic — Buffa Rust Library 0-Day: 22x Heap Amplification via Protobuf Unknown Fields
What happened
- Anthropic's Rust-based protobuf library buffa was found vulnerable to a zero-day denial-of-service flaw tracked as CVE-2026-55407 (GHSA-f9qc-qg88-7pq5).
- Scored CVSS 4.0/6.3 (Moderate) on paper, but real-world impact scales to High or Critical depending on deployment architecture — any service decoding untrusted protobuf with
preserve_unknown_fieldsenabled (the default) is affected. - The flaw was discovered by Endor Labs' AI SAST engine, which flagged a suspicious data flow in the
decode_unknown_fieldfunction — a length value parsed from untrusted wire data is used to allocate aVec<u8>without an explicit upper bound. - The critical amplification path: a
WireType::StartGroupbranch loops over nested unknown fields until a matchingEndGrouptag. Each nested field can be encoded in just 2 bytes but triggers ~40 bytes of heap allocation plus growth overhead. - Endor Labs demonstrated a 64 MiB protobuf payload driving ~1.4 GiB of heap usage — a 22x amplification — killing the process with OOM (exit code 137) inside a 256 MiB Docker container.
- buffa and connectrpc versions before 0.8.0 are affected. Anthropic released fixes implementing a configurable per-message limit on unknown fields.
- The case is notable for methodology: an AI-driven SAST engine uncovered a non-trivial, logic-level DoS in a memory-safe Rust library by tracing untrusted data from source to heap allocation sink — not via pattern matching.
Why it matters
buffa is used in Anthropic's infrastructure for protobuf serialization/deserialization. Services that decode untrusted protobuf messages — common in model serving, agent tooling, and inter-service communication — are exposed. The discovery also demonstrates that "memory safe" languages like Rust do not automatically prevent resource-exhaustion vulnerabilities: the allocator is still a sink, and untrusted length fields can still drive unbounded allocation. The 22x amplification factor means input-size caps alone are insufficient.
What to do
- Update buffa/connectrpc to version 0.8.0 or later.
- If you cannot upgrade immediately, regenerate protobuf code with
preserve_unknown_fields=falseto remove the primary sink from the data path. - Audit any service that decodes untrusted protobuf for similar patterns — especially model serving infrastructure, MCP servers using protobuf transport, and agent tooling that accepts wire-format input.
- Consider AI-assisted SAST for your own codebase: traditional pattern-based scanners miss logic-level amplification paths in memory-safe languages.