Improper Validation of Array Index

CVE-2026-45799

High

7.5/10

Summary

Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented `IOException` / `ProtocolException` failure path. All versions prior to 6.3.0 and 7.x prior to 7.0.0-alpha03 are affected.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-129 - Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References

Advisory
Pull request

Advisory Timeline

Published May 19, 2026

Improper Validation of Array Index

CVE-2026-45799

Summary

CWE-129 - Improper Validation of Array Index

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS