PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45799 square CVE debrief

A vulnerability was found in Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java. Prior to versions 6.3.0 and 7.0.0-alpha03, the ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() methods in wire-runtime do not validate that a LENGTH_DELIMITED field length is non-negative before skip(), which can lead to an ArrayIndexOutOfBoundsException. This vulnerability has a CVSS score of 7.5 and is considered HIGH severity. The vulnerability is caused by a lack of validation in the ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() methods in wire-runtime. This allows a crafted protobuf varint encoding -128 as a signed Int to make skip(-128) move the internal position negative and make the next readByte() throw ArrayIndexOutOfBoundsException instead of the documented IOException or ProtocolException.

Vendor
square
Product
wire
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java should be aware of this vulnerability and take steps to update to a patched version. This includes operators managing affected deployments, platform administrators ensuring version updates are applied, vulnerability management teams assessing exposure, and security teams verifying that compensating controls are in place.

Technical summary

The vulnerability is caused by a lack of validation in the ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() methods in wire-runtime. This allows a crafted protobuf varint encoding -128 as a signed Int to make skip(-128) move the internal position negative and make the next readByte() throw ArrayIndexOutOfBoundsException instead of the documented IOException or ProtocolException. The issue affects Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java, specifically versions prior to 6.3.0 and 7.0.0-alpha03.

Defensive priority

High

Recommended defensive actions

  • Update to Wire version 6.3.0 or later
  • Update to Wire version 7.0.0-alpha03 or later
  • Verify that all Wire gRPC and protocol buffers components are up to date
  • Review the official advisory for specific guidance on affected versions and patches
  • Check for any existing compensating controls that may mitigate exposure
  • Perform an inventory of assets using affected Wire gRPC and protocol buffers versions
  • Monitor for potential exploitation attempts using relevant logs and detection tools

Evidence notes

The CVE record was published on 2026-07-17T20:17:18.393Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability affects Wire gRPC and protocol buffers for Android, Kotlin, Swift, and Java, specifically versions prior to 6.3.0 and 7.0.0-alpha03. The vulnerability has been publicly disclosed and may be targeted by attackers. Users should review the official advisory and take steps to update to a patched version.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:18.393Z and has not been modified since then.