The flaw lies in the Protobuf PHP library’s parsing routine for untrusted data. Messages that embed negative varints or trigger deep recursion force the parser logic to misbehave, causing a crash of the application or service that processes the data. Because the crash is unconditional, the attacker can repeatedly induce downtime by sending these crafted messages. This weakness is an input validation flaw, and it enables an attacker to compromise system availability for any application that relies on that library.

Any PHP application that depends on the Protobuf PHP package distributed via PECL is potentially impacted. Versions of the library released before the publicly documented fix are considered vulnerable. The vulnerability does not target the PHP language itself, but the library that imports and decodes external protobuf messages.

The assigned CVSS score of 7.1 calls out a high severity level for availability impact. No proven exploits have appeared in public advisories, and the vulnerability is not in the current known exploited vulnerability list, indicating limited evidence of widespread exploitation. An attacker can exploit the weakness by sending a maliciously constructed protobuf payload to any exposed endpoint or service that invokes the parser, leading to an application crash and forcing a restart or downtime.