### [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569)
![](https://img.shields.io/static/v1?label=Product&message=google-protobuf%20%5BJRuby%20Gem%5D&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=protobuf-java&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=protobuf-kotlin&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-696%20Incorrect%20Behavior%20Order&color=brightgreen)

### Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

### POC

#### Reference
- http://www.openwall.com/lists/oss-security/2022/01/12/4
- http://www.openwall.com/lists/oss-security/2022/01/12/7
- https://www.oracle.com/security-alerts/cpuapr2022.html

#### Github
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/ARPSyndicate/cvemon
- https://github.com/CodeIntelligenceTesting/jazzer
- https://github.com/Mario-Kart-Felix/A-potential-Denial-of-Service-issue-in-protobuf-java
- https://github.com/NaInSec/CVE-PoC-in-GitHub
- https://github.com/SYRTI/POC_to_review
- https://github.com/TinkerBoard-Android/rockchip-android-external-jazzer-api
- https://github.com/WhooAmii/POC_to_review
- https://github.com/k0mi-tg/CVE-POC
- https://github.com/manas3c/CVE-POC
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/soosmile/POC
- https://github.com/trhacknon/Pocingit
- https://github.com/whoforget/CVE-POC
- https://github.com/youwizard/CVE-POC
- https://github.com/zecool/cve