Vulnerability-Lookup

MSRC_CVE-2024-7254

Vulnerability from csaf_microsoft - Published: 2024-09-01 07:00 - Updated: 2026-02-21 02:13

Summary

Stack overflow in Protocol Buffers Java Lite

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2024-7254

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known not affected 16 products

Product	Identifier	Version	Remediation
Unresolved product id: 17086-9		—
Unresolved product id: 17086-7		—
Unresolved product id: 17086-5		—
Unresolved product id: 17086-3		—
Unresolved product id: 17086-2		—
Unresolved product id: 17084-14		—
Unresolved product id: 17084-11		—
Unresolved product id: 17084-1		—
Unresolved product id: 17086-6		—
Unresolved product id: 17086-12		—
Unresolved product id: 17086-10		—
Unresolved product id: 17086-16		—
Unresolved product id: 17086-4		—
Unresolved product id: 17084-8		—
Unresolved product id: 17084-13		—
Unresolved product id: 17084-15		—

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2024/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2024/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2024-7254 Stack overflow in Protocol Buffers Java Lite - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-7254.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Stack overflow in Protocol Buffers Java Lite",
    "tracking": {
      "current_release_date": "2026-02-21T02:13:39.000Z",
      "generator": {
        "date": "2026-05-22T11:16:46.692Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2024-7254",
      "initial_release_date": "2024-09-01T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-09-03T21:12:43.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-02-21T02:13:39.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              },
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "category": "product_name",
            "name": "cbl2 tensorflow 0:2.11.1-2.cbl2",
            "product": {
              "name": "cbl2 tensorflow 0:2.11.1-2.cbl2",
              "product_id": "9"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 python-tensorboard 0:2.11.0-3.cbl2",
            "product": {
              "name": "cbl2 python-tensorboard 0:2.11.0-3.cbl2",
              "product_id": "7"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 grpc 0:1.42.0-11.cbl2",
            "product": {
              "name": "cbl2 grpc 0:1.42.0-11.cbl2",
              "product_id": "5"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 protobuf 0:3.17.3-3.cbl2",
            "product": {
              "name": "cbl2 protobuf 0:3.17.3-3.cbl2",
              "product_id": "3"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 keras 0:2.11.0-3.cbl2",
            "product": {
              "name": "cbl2 keras 0:2.11.0-3.cbl2",
              "product_id": "2"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 grpc 0:1.62.3-1.azl3",
            "product": {
              "name": "azl3 grpc 0:1.62.3-1.azl3",
              "product_id": "14"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 pytorch 0:2.2.2-7.azl3",
            "product": {
              "name": "azl3 pytorch 0:2.2.2-7.azl3",
              "product_id": "11"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 protobuf 0:25.3-4.azl3",
            "product": {
              "name": "azl3 protobuf 0:25.3-4.azl3",
              "product_id": "1"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 mysql 0:8.0.41-1.cbl2",
            "product": {
              "name": "cbl2 mysql 0:8.0.41-1.cbl2",
              "product_id": "6"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 grpc 0:1.42.0-11.cbl2",
            "product": {
              "name": "cbl2 grpc 0:1.42.0-11.cbl2",
              "product_id": "12"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 pytorch 0:2.0.0-8.cbl2",
            "product": {
              "name": "cbl2 pytorch 0:2.0.0-8.cbl2",
              "product_id": "10"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 mysql 0:8.0.41-1.cbl2",
            "product": {
              "name": "cbl2 mysql 0:8.0.41-1.cbl2",
              "product_id": "16"
            }
          },
          {
            "category": "product_name",
            "name": "cbl2 pytorch 0:2.0.0-8.cbl2",
            "product": {
              "name": "cbl2 pytorch 0:2.0.0-8.cbl2",
              "product_id": "4"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 python-tensorboard 0:2.16.2-6.azl3",
            "product": {
              "name": "azl3 python-tensorboard 0:2.16.2-6.azl3",
              "product_id": "8"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 tensorflow 0:2.16.1-9.azl3",
            "product": {
              "name": "azl3 tensorflow 0:2.16.1-9.azl3",
              "product_id": "13"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 mysql 0:8.0.41-1.azl3",
            "product": {
              "name": "azl3 mysql 0:8.0.41-1.azl3",
              "product_id": "15"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 tensorflow 0:2.11.1-2.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-9"
        },
        "product_reference": "9",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 python-tensorboard 0:2.11.0-3.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-7"
        },
        "product_reference": "7",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 grpc 0:1.42.0-11.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 protobuf 0:3.17.3-3.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 keras 0:2.11.0-3.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 grpc 0:1.62.3-1.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-14"
        },
        "product_reference": "14",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 pytorch 0:2.2.2-7.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-11"
        },
        "product_reference": "11",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 protobuf 0:25.3-4.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 mysql 0:8.0.41-1.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 grpc 0:1.42.0-11.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-12"
        },
        "product_reference": "12",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 pytorch 0:2.0.0-8.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-10"
        },
        "product_reference": "10",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 mysql 0:8.0.41-1.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-16"
        },
        "product_reference": "16",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 pytorch 0:2.0.0-8.cbl2 as a component of CBL Mariner 2.0",
          "product_id": "17086-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-tensorboard 0:2.16.2-6.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-8"
        },
        "product_reference": "8",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 tensorflow 0:2.16.1-9.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-13"
        },
        "product_reference": "13",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 mysql 0:8.0.41-1.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-15"
        },
        "product_reference": "15",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17086-9",
            "17086-7",
            "17086-5",
            "17086-3",
            "17086-2",
            "17084-14",
            "17084-11",
            "17084-1",
            "17086-6",
            "17086-12",
            "17086-10",
            "17086-16",
            "17086-4",
            "17084-8",
            "17084-13",
            "17084-15"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Google",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "17086-9",
          "17086-7",
          "17086-5",
          "17086-3",
          "17086-2",
          "17084-14",
          "17084-11",
          "17084-1",
          "17086-6",
          "17086-12",
          "17086-10",
          "17086-16",
          "17086-4",
          "17084-8",
          "17084-13",
          "17084-15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-7254 Stack overflow in Protocol Buffers Java Lite - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-7254.json"
        }
      ],
      "title": "Stack overflow in Protocol Buffers Java Lite"
    }
  ]
}

CVE-2024-7254 (GCVE-0-2024-7254)

Vulnerability from cvelistv5 – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37

Title

Stack overflow in Protocol Buffers Java Lite

Summary

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-674 - Uncontrolled Recursion

Assigner

Google

References

1 reference

URL	Tags
https://github.com/protocolbuffers/protobuf/commi…

Impacted products

6 products

Vendor	Product	Version
Google	Protocol Buffers	Affected: 0 , < 28.2 (custom)
Google	protobuf-java	Affected: 0 , < 3.25.5 (custom) Affected: 0 , < 4.27.5 (custom) Affected: 0 , < 4.28.2 (custom)
Google	protobuf-javalite	Affected: 0 , < 3.25.5 (custom) Affected: 0 , < 4.27.5 (custom) Affected: 0 , < 4.28.2 (custom)
Google	protobuf-kotlin	Affected: 0 , < 3.25.5 (custom) Affected: 0 , < 4.27.5 (custom) Affected: 0 , < 4.28.2 (custom)
Google	protobuf-kotllin-lite	Affected: 0 , < 3.25.5 (custom) Affected: 0 , < 4.27.5 (custom) Affected: 0 , < 4.28.2 (custom)
Google	google-protobuf [JRuby Gem]	Affected: 0 , < 3.25.5 (custom) Affected: 0 , < 4.27.5 (custom) Affected: 0 , < 4.28.2 (custom)

Credits

Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "protobuf",
            "vendor": "google",
            "versions": [
              {
                "lessThan": "28.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
              "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
              "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
              "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
              "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "protobuf-kotlin-lite",
            "vendor": "google",
            "versions": [
              {
                "lessThan": "3.25.5",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "4.27.5",
                "status": "affected",
                "version": "4.27",
                "versionType": "custom"
              },
              {
                "lessThan": "4.28.2",
                "status": "affected",
                "version": "4.28",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7254",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T14:29:43.468555Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-19T14:46:14.517Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-19T00:11:07.841Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Protocol Buffers",
          "repo": "https://github.com/protocolbuffers/protobuf",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
          "defaultStatus": "unaffected",
          "product": "protobuf-java",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "protobuf-javalite",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "protobuf-kotlin",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "protobuf-kotllin-lite",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://rubygems.org/gems/google-protobuf",
          "defaultStatus": "unaffected",
          "product": "google-protobuf [JRuby Gem]",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.25.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.27.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.28.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674 Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-08T09:37:53.702Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Stack overflow in Protocol Buffers Java Lite",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2024-7254",
    "datePublished": "2024-09-19T00:18:45.824Z",
    "dateReserved": "2024-07-29T21:41:56.116Z",
    "dateUpdated": "2025-09-08T09:37:53.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2024-7254

CVE-2024-7254 (GCVE-0-2024-7254)

Tags

Sightings

Nomenclature