2459442 – (CVE-2026-41242) CVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields

Bug 2459442 (CVE-2026-41242) - CVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields

Summary: CVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected ...

Keywords:
Status:	NEW
Alias:	CVE-2026-41242
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2463271 2463274 2463353 2463354 2463355 2463356
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-18 17:01 UTC by OSIDB Bzimport
Modified:	2026-04-28 03:11 UTC (History)
CC List:	39 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-18 17:01:14 UTC

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
abuckta
alizardo
bbrownin
caswilli
cdrage
dkuc
dschmidt
erezende
ewittman
janstey
jchui
jhe
jkoehler
jlanda
kaycoth
kshier
ktsao
lchilton
lphiri
mstipich
nboldt
nipatil
oaljalju
orabin
pantinor
psrna
rexwhite
rhel-process-autobot
rkubis
rushinde
sfeifer
simaishi
smcdonal
stcannon
sthirugn
teagle
watson-tool-maintainers
yguenane