{"id":"CVE-2022-3510","details":"A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\n\n","aliases":["GHSA-4gg5-vx3j-xwc7"],"modified":"2026-04-09T08:53:15.651720Z","published":"2022-12-12T13:15:14.670Z","related":["CGA-xh3h-x9r4-vx6v"],"references":[{"type":"FIX","url":"https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"2dc747c574b68a808ea4699d26942c8132fe2b09"},{"fixed":"b8c2488f480bbe3d66b9874c2fcd434201caa48a"},{"introduced":"17b30e96476be70b8773b2b807bab857fd3ceb39"},{"fixed":"5cba162a5d93f8df786d828621019e03e50edb4f"},{"introduced":"bc799d78f81115940eec953e2937245c70e3e6e4"},{"fixed":"fe271ab76f2ad2b2b28c10443865d2af21e27e0e"},{"introduced":"7062d0a2d0075d5e7d5c294fd3984df67a976da3"},{"fixed":"54489e95e01882407f356f83c9074415e561db00"},{"introduced":"2dc747c574b68a808ea4699d26942c8132fe2b09"},{"fixed":"b8c2488f480bbe3d66b9874c2fcd434201caa48a"},{"introduced":"652d99a8ee8aa6b801e11977951fbf444cfccc8f"},{"fixed":"5cba162a5d93f8df786d828621019e03e50edb4f"},{"introduced":"bc799d78f81115940eec953e2937245c70e3e6e4"},{"fixed":"fe271ab76f2ad2b2b28c10443865d2af21e27e0e"},{"introduced":"7062d0a2d0075d5e7d5c294fd3984df67a976da3"},{"fixed":"54489e95e01882407f356f83c9074415e561db00"},{"fixed":"db7c17803320525722f45c1d26fc08bc41d1bf48"}],"database_specific":{"versions":[{"introduced":"3.16.0"},{"fixed":"3.16.3"},{"introduced":"3.19.0"},{"fixed":"3.19.6"},{"introduced":"3.20.0"},{"fixed":"3.20.3"},{"introduced":"3.21.0"},{"fixed":"3.21.7"},{"introduced":"3.16.0"},{"fixed":"3.16.3"},{"introduced":"3.17.0"},{"fixed":"3.19.6"},{"introduced":"3.20.0"},{"fixed":"3.20.3"},{"introduced":"3.21.0"},{"fixed":"3.21.7"}]}}],"versions":["v3.16.0","v3.16.1","v3.19.0","v3.19.1","v3.19.2","v3.19.3","v3.19.4","v3.20.0","v3.20.0-rc3","v3.20.1","v3.20.1-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-3510.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}