PatchSiren cyber security CVE debrief
CVE-2026-45799 square CVE debrief
A vulnerability was found in Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java. Prior to versions 6.3.0 and 7.0.0-alpha03, the ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() methods in wire-runtime do not validate that a LENGTH_DELIMITED field length is non-negative before skip(), which can lead to an ArrayIndexOutOfBoundsException. This vulnerability has a CVSS score of 7.5 and is considered HIGH severity. The vulnerability is caused by a lack of validation in the ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() methods in wire-runtime. This allows a crafted protobuf varint encoding -128 as a signed Int to make skip(-128) move the internal position negative and make the next readByte() throw ArrayIndexOutOfBoundsException instead of the documented IOException or ProtocolException.
- Vendor
- square
- Product
- wire
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java should be aware of this vulnerability and take steps to update to a patched version. This includes operators managing affected deployments, platform administrators ensuring version updates are applied, vulnerability management teams assessing exposure, and security teams verifying that compensating controls are in place.
Technical summary
The vulnerability is caused by a lack of validation in the ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() methods in wire-runtime. This allows a crafted protobuf varint encoding -128 as a signed Int to make skip(-128) move the internal position negative and make the next readByte() throw ArrayIndexOutOfBoundsException instead of the documented IOException or ProtocolException. The issue affects Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java, specifically versions prior to 6.3.0 and 7.0.0-alpha03.
Defensive priority
High
Recommended defensive actions
- Update to Wire version 6.3.0 or later
- Update to Wire version 7.0.0-alpha03 or later
- Verify that all Wire gRPC and protocol buffers components are up to date
- Review the official advisory for specific guidance on affected versions and patches
- Check for any existing compensating controls that may mitigate exposure
- Perform an inventory of assets using affected Wire gRPC and protocol buffers versions
- Monitor for potential exploitation attempts using relevant logs and detection tools
Evidence notes
The CVE record was published on 2026-07-17T20:17:18.393Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability affects Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java, specifically versions prior to 6.3.0 and 7.0.0-alpha03. The vulnerability has been publicly disclosed and may be targeted by attackers. Users should review the official advisory and take steps to update to a patched version.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:18.393Z and has not been modified since then.