An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
CVE-2021-22569
This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 0.3%, top 46% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 73.8%
- KEV
- Not listed
Published
January 10, 2022
Last Modified
November 21, 2024
References (12)
- cve-coordination@googlehttp://www.openwall.com/lists/oss-security/2022/01/12/4
- cve-coordination@googlehttp://www.openwall.com/lists/oss-security/2022/01/12/7
- cve-coordination@googlehttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
- cve-coordination@googlehttps://cloud.google.com/support/bulletins#gcp-2022-001
- cve-coordination@googlehttps://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- cve-coordination@googlehttps://www.oracle.com/security-alerts/cpuapr2022.html
- af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2022/01/12/4
- af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2022/01/12/7
- af854a3a-2127-422b-91ae-364da2661108https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
- af854a3a-2127-422b-91ae-364da2661108https://cloud.google.com/support/bulletins#gcp-2022-001
- af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuapr2022.html
Vendor Advisories for CVE-2021-22569(4)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- CVE-2021-22569Microsoft Security Response Center (MSRC)
CVE-2021-22569
- RHSA-2022:8761Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat support for Spring Boot 2.7.2 update
- RHSA-2022:6835Red Hat Product SecurityHigh
Red Hat Security Advisory: Service Registry (container images) release and security update [2.3.0.GA]
- RHSA-2022:5532Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Fuse 7.11.0 release and security update
Patch Availability(3)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | protobuf-compiler (2.5.0-9ubuntu1+esm1) @ trusty | 2026-05-26 | ubuntu |
| redhat | protobuf-java | 2022-12-14 | redhat |
| redhat | patch | 2022-03-22 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(3 across 2 ecosystems)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| com.google.protobuf:protobuf-java | 3.19.0, 3.19.1 | 3.19.2 | — |
| com.google.protobuf:protobuf-kotlin | 3.19.0, 3.19.1 | 3.19.2 | — |
RubyGems(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| google-protobuf | 3.0.0 ... 3.9.2 (90 versions) | 3.19.2 | — |
Frequently asked(5)
What is CVE-2021-22569?
When was CVE-2021-22569 disclosed?
Is CVE-2021-22569 actively exploited?
What is the CVSS score of CVE-2021-22569?
How do I remediate CVE-2021-22569?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-22569
Is Your Infrastructure Affected by CVE-2021-22569?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.