{"id":"CVE-2022-3171","details":"A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.","aliases":["GHSA-h4h5-3hr4-j3g2"],"modified":"2026-04-16T00:07:14.732059546Z","published":"2022-10-12T23:15:09.807Z","related":["CGA-8f53-f8wm-95fh","GHSA-h4h5-3hr4-j3g2","SUSE-SU-2022:3922-1","SUSE-SU-2023:2783-1","SUSE-SU-2023:2783-2"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"37"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"},{"type":"ADVISORY","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202301-09"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"0"},{"fixed":"b8c2488f480bbe3d66b9874c2fcd434201caa48a"},{"introduced":"652d99a8ee8aa6b801e11977951fbf444cfccc8f"},{"fixed":"5cba162a5d93f8df786d828621019e03e50edb4f"},{"introduced":"bc799d78f81115940eec953e2937245c70e3e6e4"},{"fixed":"fe271ab76f2ad2b2b28c10443865d2af21e27e0e"},{"introduced":"7062d0a2d0075d5e7d5c294fd3984df67a976da3"},{"fixed":"54489e95e01882407f356f83c9074415e561db00"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.16.3"},{"introduced":"3.17.0"},{"fixed":"3.19.6"},{"introduced":"3.20.0"},{"fixed":"3.20.3"},{"introduced":"3.21.0"},{"fixed":"3.21.7"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*","cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*","cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*","cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*","cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"]}}],"versions":["v2.6.0","v2.6.1rc1","v21.0-rc1","v21.0-rc2","v3.0.0-alpha-3","v3.0.0-alpha-4","v3.0.0-beta-1","v3.0.0-beta-1-bzl-fix","v3.0.0-beta-2","v3.0.0-beta-3-pre-1","v3.12.3","v3.16.0","v3.16.0-rc1","v3.16.0-rc2","v3.16.1","v3.19.0","v3.19.0-rc1","v3.19.0-rc2","v3.19.1","v3.19.2","v3.19.3","v3.19.4","v3.20.0","v3.20.0-rc2","v3.20.0-rc3","v3.20.1","v3.20.1-rc1"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","target":{"file":"src/google/protobuf/compiler/plugin.pb.h"},"id":"CVE-2022-3171-188035fa","deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/descriptor.pb.h"},"id":"CVE-2022-3171-1a4951d1","signature_version":"v1","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/wrappers.pb.h"},"id":"CVE-2022-3171-2069b3da","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/any.pb.h"},"id":"CVE-2022-3171-2f6d50fa","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/wrappers.pb.h"},"id":"CVE-2022-3171-3c760779","deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/field_mask.pb.h"},"id":"CVE-2022-3171-4e70c1e4","signature_version":"v1","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/descriptor.pb.h"},"id":"CVE-2022-3171-51960048","deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/timestamp.pb.h"},"id":"CVE-2022-3171-610f4e97","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/api.pb.h"},"id":"CVE-2022-3171-6bc36508","signature_version":"v1","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/compiler/plugin.pb.h"},"id":"CVE-2022-3171-7b523458","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/timestamp.pb.h"},"id":"CVE-2022-3171-7b59bb12","deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/type.pb.h"},"id":"CVE-2022-3171-892436e4","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/any.pb.h"},"id":"CVE-2022-3171-8c2e0192","deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/api.pb.h"},"id":"CVE-2022-3171-8ec1c149","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/empty.pb.h"},"id":"CVE-2022-3171-97dee356","signature_version":"v1","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/type.pb.h"},"id":"CVE-2022-3171-9c5325d9","deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/empty.pb.h"},"id":"CVE-2022-3171-b0f21209","signature_version":"v1","signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/duration.pb.h"},"id":"CVE-2022-3171-c1227f64","deprecated":false,"signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/duration.pb.h"},"id":"CVE-2022-3171-c9c7f1ec","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/field_mask.pb.h"},"id":"CVE-2022-3171-d5e132eb","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"deprecated":false,"target":{"file":"src/google/protobuf/source_context.pb.h"},"id":"CVE-2022-3171-ebeb0e90","signature_version":"v1","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/struct.pb.h"},"id":"CVE-2022-3171-f9310ee7","deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/source_context.pb.h"},"id":"CVE-2022-3171-f931a154","deprecated":false,"signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/5cba162a5d93f8df786d828621019e03e50edb4f","digest":{"threshold":0.9,"line_hashes":["99802369379779068741640024407784092008","225304807984448079980401650582696715752","252831113805316861556574171429044010978","224179326576241034740376008476800918793"]}},{"signature_version":"v1","target":{"file":"src/google/protobuf/struct.pb.h"},"id":"CVE-2022-3171-fd9bc12e","deprecated":false,"signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a","digest":{"threshold":0.9,"line_hashes":["14463844651962961940331438795809373578","214516298593296203942852467115320028386","261809066153928994664321823254706116376","307626444442344817117879599035219910274"]}}],"vanir_signatures_modified":"2026-04-12T03:44:16Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-3171.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}