### SummaryA message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.Reporter: [ClusterFuzz](https://google.github.io/clusterfuzz/)Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.### Severity & ImpactAs scored by google **Medium 5.7** - [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Asscored byt NIST **High 7.5** - [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.### Proof of ConceptFor reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.### Mitigation / PatchingPlease update to the latest available versions of the following packages:- protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)- protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)