CVE-2022-3171

Publication date 12 October 2022

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
protobuf	23.04 lunar	Not affected
	22.10 kinetic	Ignored end of life, was ignored [changes too intrusive]
	22.04 LTS jammy	Ignored changes too intrusive
	20.04 LTS focal	Ignored changes too intrusive
	18.04 LTS bionic	Ignored changes too intrusive
	16.04 LTS xenial	Ignored changes too intrusive
	14.04 LTS trusty	Ignored changes too intrusive

Notes

eslerm

patch is possibly a3888f5

mdeslaur

The changes required to fix this issue in Ubuntu stable releases are too intrusive to be backported. We will not be releasing updates for this issue. See also CVE-2022-3510.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
protobuf	Upstream: 9a6781e

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H