{"id":"CVE-2021-22569","details":"An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.","aliases":["GHSA-wrvw-hg22-4m67"],"modified":"2026-05-18T22:59:04.373099Z","published":"2022-01-10T14:10:16.747Z","related":["CGA-p22x-xfxm-vx6h","SUSE-SU-2022:3922-1","SUSE-SU-2023:2783-1","SUSE-SU-2023:2783-2"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_console","extracted_events":[{"last_affected":"1.9.0"}]},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_network_repository_function","extracted_events":[{"last_affected":"1.15.0"},{"last_affected":"1.15.1"}]},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_policy","extracted_events":[{"last_affected":"1.15.0"}]},{"cpes":["cpe:2.3:a:oracle:spatial_and_graph_mapviewer:19c:*:*:*:*:*:*:*","cpe:2.3:a:oracle:spatial_and_graph_mapviewer:21c:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:spatial_and_graph_mapviewer","extracted_events":[{"last_affected":"19c"},{"last_affected":"21c"}]}]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/01/12/4"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/01/12/7"},{"type":"ADVISORY","url":"https://cloud.google.com/support/bulletins#gcp-2022-001"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"0"},{"fixed":"cb46755e6405e083b45481f5ea4754b180705529"},{"fixed":"791a4355c365bd92720160671a7491be168055cb"},{"fixed":"6c6b0778b70f35f93c2f0dee30e5d12ad2a83eea"},{"introduced":"89b14b1d16eba4d44af43256fc45b24a6a348557"},{"fixed":"6c6b0778b70f35f93c2f0dee30e5d12ad2a83eea"},{"introduced":"17b30e96476be70b8773b2b807bab857fd3ceb39"},{"fixed":"cb46755e6405e083b45481f5ea4754b180705529"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.19.2"},{"fixed":"3.16.1"},{"fixed":"3.18.2"},{"introduced":"3.18.0"},{"fixed":"3.18.2"},{"introduced":"3.19.0"},{"fixed":"3.19.2"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*","cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*","cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*"]}}],"versions":["v3.16.0","v3.19.1","v3.19.0","v3.18.1","v3.18.0","v3.16.0-rc2","v3.16.0-rc1","v3.12.3","v3.0.0-beta-3-pre-1","v3.0.0-beta-2","v3.0.0-beta-1-bzl-fix","v3.0.0-beta-1","v3.0.0-alpha-4","v3.0.0-alpha-3","v2.6.1rc1","v2.6.0"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-007a6f1a","target":{"file":"src/google/protobuf/source_context.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-0c6a5439","target":{"file":"src/google/protobuf/any.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-297c786b","target":{"file":"src/google/protobuf/compiler/plugin.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-2ad1978c","target":{"file":"src/google/protobuf/field_mask.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-74dbca6c","target":{"file":"src/google/protobuf/type.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-7d3abc12","target":{"file":"src/google/protobuf/descriptor.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-a55a1d2a","target":{"file":"src/google/protobuf/wrappers.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-cbf5b140","target":{"file":"src/google/protobuf/timestamp.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-d147c29a","target":{"file":"src/google/protobuf/api.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-dec320e6","target":{"file":"src/google/protobuf/empty.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-f87ca39e","target":{"file":"src/google/protobuf/duration.pb.h"},"deprecated":false},{"source":"https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["328459828297406866746685094975132074155","320482912142515080020906968928056412245","94902428441466243207974400648954766131","139512282090018918949412744829553419206"]},"signature_type":"Line","id":"CVE-2021-22569-ff862195","target":{"file":"src/google/protobuf/struct.pb.h"},"deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22569.json","vanir_signatures_modified":"2026-05-18T22:59:04Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}