๐Ÿ” CVE Alert

CVE-2026-55406

UNKNOWN 0.0

Buffa: Use-After-Free in OwnedView via Unsound 'static Lifetime Promotion in Deref

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static [u8], and the Deref implementation exposed the promoted 'static lifetime on borrowed view fields (such as &'static str and &'static [u8]) to callers, so the borrow checker permitted those references to outlive the OwnedView; once the OwnedView was dropped and its backing buffer freed, the references became dangling, enabling memory corruption, information disclosure of freed heap contents, and cross-thread misuse without any unsafe code in the calling application. This issue is fixed in version 0.7.0.

CWE CWE-200 CWE-416
Vendor anthropics
Product buffa
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for anthropics buffa

Be the first to know when new unknown vulnerabilities affecting anthropics buffa are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

anthropics / buffa
< 0.7.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/anthropics/buffa/security/advisories/GHSA-9pwq-gcrx-wghh github.com: https://github.com/anthropics/buffa/pull/154 github.com: https://github.com/anthropics/buffa/commit/7dcf50a1a40eca6ed8d6c6dd59f4310aa0d68b0e github.com: https://github.com/anthropics/buffa/releases/tag/v0.7.0