PatchSiren cyber security CVE debrief
CVE-2026-55406 anthropics CVE debrief
A use-after-free vulnerability was discovered in Buffa, a pure-Rust Protocol Buffers implementation, prior to version 0.7.0. The issue is caused by a soundness bug in the OwnedView<V> type, which allows safe Rust code to trigger a use-after-free. This can lead to memory corruption, information disclosure of freed heap contents, and cross-thread misuse. The vulnerability affects Buffa versions prior to 0.7.0. The issue is fixed in version 0.7.0 of Buffa.
- Vendor
- anthropics
- Product
- buffa
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Buffa versions prior to 0.7.0 should update to the latest version to mitigate this vulnerability. Developers using Buffa in their applications should review their code to ensure it is not vulnerable to this issue. Operators and security teams should be aware of the potential impact of this vulnerability on their systems and take steps to mitigate it.
Technical summary
The OwnedView::decode constructor transmuted a borrowed slice to &'static [u8], and the Deref implementation exposed the promoted 'static lifetime on borrowed view fields to callers. This allowed the borrow checker to permit those references to outlive the OwnedView; once the OwnedView was dropped and its backing buffer freed, the references became dangling. The issue is fixed in version 0.7.0 of Buffa. The vulnerability can lead to memory corruption, information disclosure of freed heap contents, and cross-thread misuse without any unsafe code in the calling application.
Defensive priority
High
Recommended defensive actions
- Update Buffa to version 0.7.0 or later
- Review code using Buffa to ensure it is not vulnerable to this issue
- Monitor for any suspicious activity related to this vulnerability
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-16T17:16:57.623Z and has not been modified since then. The NVD entry is currently Deferred. This information is based on the CVE.org and NVD records. The vulnerability affects Buffa versions prior to 0.7.0. The issue is caused by a soundness bug in the OwnedView<V> type, which allows safe Rust code to trigger a use-after-free. This can lead to memory corruption, information disclosure of freed heap contents, and cross-thread misuse. The CVE record does not provide additional information on known or unknown affected scope. Defenders should verify the affected scope and severity based on the official advisory or CVE record.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:57.623Z and has not been modified since then. The NVD entry is currently Deferred.