{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-41242", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.135Z", "datePublished": "2026-04-18T16:18:10.652Z", "dateUpdated": "2026-07-10T12:05:23.945Z" }, "containers": { "cna": { "title": "protobufjs has an arbitrary code execution issue", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE" } ] } ], "metrics": [ { "cvssV4_0": { "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0" } } ], "references": [ { "name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg" }, { "name": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75" }, { "name": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956" }, { "name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5" }, { "name": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1" } ], "affected": [ { "vendor": "protobufjs", "product": "protobuf.js", "versions": [ { "version": "< 7.5.5", "status": "affected" }, { "version": ">= 8.0.0-experimental, < 8.0.1", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T16:18:10.652Z" }, "descriptions": [ { "lang": "en", "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the \"type\" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue." } ], "source": { "advisory": "GHSA-xq3m-2v4x-88gg", "discovery": "UNKNOWN" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-20T16:03:39.054181Z", "id": "CVE-2026-41242", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:03:57.689Z" } }, { "affected": [ { "cpes": [ "cpe:/a:redhat:rhdh:1.8::el9" ], "defaultStatus": "affected", "product": "Red Hat Developer Hub 1.8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhdh:1.9::el9" ], "defaultStatus": "affected", "product": "Red Hat Developer Hub 1.9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai:2.25::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI 2.25", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai:3.3::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI 3.3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_pipelines:1" ], "defaultStatus": "affected", "product": "OpenShift Pipelines", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:apicurio_registry:3" ], "defaultStatus": "affected", "product": "Red Hat build of Apicurio Registry 3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:podman_desktop:1" ], "defaultStatus": "affected", "product": "Red Hat Build of Podman Desktop", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhdh:1" ], "defaultStatus": "affected", "product": "Red Hat Developer Hub", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ansible_portal:2" ], "defaultStatus": "affected", "product": "Self-service automation portal 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:hummingbird:1" ], "defaultStatus": "unaffected", "product": "Red Hat Hardened Images", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:cryostat:4" ], "defaultStatus": "unknown", "product": "Cryostat 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3" ], "defaultStatus": "unknown", "product": "OpenShift Service Mesh 3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ansible_automation_platform:2" ], "defaultStatus": "unknown", "product": "Red Hat Ansible Automation Platform 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ceph_storage:9" ], "defaultStatus": "unknown", "product": "Red Hat Ceph Storage 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux_ai:3" ], "defaultStatus": "unknown", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_data_foundation:4" ], "defaultStatus": "unknown", "product": "Red Hat Openshift Data Foundation 4", "vendor": "Red Hat" } ], "datePublic": "2026-04-18T16:18:10.652Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in protobufjs, a JavaScript (JS) library used for compiling protobuf definitions. A remote attacker with low privileges can exploit this vulnerability by injecting arbitrary code into the \"type\" fields of protobuf definitions. This malicious code will then execute during the object decoding process, leading to arbitrary code execution and potentially full system compromise." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-41242" }, { "name": "RHBZ#2459442", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459442" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41242.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:21338" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:26234" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:24977" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:37275" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:21338: Red Hat Developer Hub 1.8" }, { "lang": "en", "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9" }, { "lang": "en", "value": "RHSA-2026:24977: Red Hat OpenShift AI 2.25" }, { "lang": "en", "value": "RHSA-2026:37275: Red Hat OpenShift AI 3.3" } ], "timeline": [ { "lang": "en", "time": "2026-04-18T17:00:50.677Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-04-18T16:18:10.652Z", "value": "Made public." } ], "title": "protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields", "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-10T12:05:23.945Z" } } ] } }