{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-13T14:37:26Z",
  "bugzilla" : {
    "description" : "protobufjs: protobufjs: Security control bypass due to improper handling of overlong UTF-8 sequences",
    "id" : "2477083",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477083"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-76",
  "details" : [ "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf binary data decoded through the affected UTF-8 path may be able to bypass application-level checks that inspect raw bytes before protobuf string decoding. For example, bytes that do not contain certain ASCII characters could decode to strings containing those characters. This vulnerability is fixed in 7.5.6 and 8.0.2.", "A flaw was found in protobufjs, a library that compiles protobuf definitions into JavaScript functions. An attacker who can provide specially crafted protobuf binary data containing overlong UTF-8 (Unicode Transformation Format - 8-bit) byte sequences may be able to bypass application-level checks. This occurs because the minimal UTF-8 decoder in protobufjs incorrectly decodes these sequences to their canonical characters instead of rejecting them. This could lead to unexpected data interpretation and potentially allow an attacker to circumvent security controls." ],
  "statement" : "Moderate: A flaw in protobufjs, as used in Red Hat products, allows an attacker to bypass application-level security checks. By providing specially crafted protobuf binary data with overlong UTF-8 sequences, an attacker could cause incorrect data interpretation, potentially circumventing security controls that inspect raw bytes before string decoding. This could lead to unintended behavior or access within applications relying on protobufjs for data processing.",
  "package_state" : [ {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-service-mesh/kiali-ossmc-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-service-mesh/kiali-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-26/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "automation-platform-ui",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Fix deferred",
    "package_name" : "rh-podman-desktop.git",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Ceph Storage 9",
    "fix_state" : "Fix deferred",
    "package_name" : "rhceph/alloy-rhel10",
    "cpe" : "cpe:/a:redhat:ceph_storage:9"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Fix deferred",
    "package_name" : "rhdh/rhdh-hub-rhel9",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-gaudi-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "dotnet9.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-automl-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-autorag-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-eval-hub-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-gen-ai-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-maas-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift3/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Fix deferred",
    "package_name" : "odf4/mcg-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform/automation-portal",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-44288\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44288\nhttps://github.com/protobufjs/protobuf.js/security/advisories/GHSA-q6x5-8v7m-xcrf" ],
  "name" : "CVE-2026-44288",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}