Endorlabs
Zero-Day DoS Vulnerability Found in Anthropic's buffa Library
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A zero-day memory amplification denial-of-service (DoS) vulnerability has been discovered in Anthropic's Rust-based protobuf library, buffa. Identified as CVE-2026-55407, the flaw allows attackers to exploit unbounded-allocation data flows, leading to significant memory depletion with small inputs. Endor Labs' AI-powered static application security testing (SAST) engine detected the issue, which affects any message decoded from untrusted input using the default settings. The vulnerability is linked to the decode_unknown_field function in buffa's encoding module, where the allocation size is derived directly from untrusted input. Anthropic has engaged with Endor Labs following the disclosure to assess the severity based on deployment scenarios. The vulnerability is classified as moderate with a CVSS score of 6.3. Immediate action is advised for users of the library to mitigate potential impacts.
Key Points: • CVE-2026-55407 is a zero-day DoS vulnerability in Anthropic's buffa library. • The flaw allows attackers to cause memory depletion using small inputs. • Endor Labs identified the vulnerability using its AI SAST engine.