Breaking change:

[HIGH] GHSA-7xpr-hc2w-34m9: Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service

GitHub Security Advisory·Security·SecurityFix·5/19/2026

# CVE-2026-45799 ## Maintainer summary Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented `IOExce

Why it matters → Apps using com.squareup.wire:wire-runtime will need code changes before upgrading. Review the release notes before bumping versions.

Who should care → Engineers depending on com.squareup.wire:wire-runtime.

com.squareup.wire:wire-runtime

View original source ↗

Source payload preview

{
  "ghsaId": "GHSA-7xpr-hc2w-34m9",
  "summary": "Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service ",
  "severity": "HIGH",
  "updatedAt": "2026-05-19T19:54:51Z",
  "references": [
    {
      "url": "https://github.com/square/wire/security/advisories/GHSA-7xpr-hc2w-34m9"
    },
    {
      "url": "https://github.com/square/wire/pull/3595"
    },
    {
      "url": "https://github.com/square/wire/pull/3597"
    },
    {
      "url": "https://github.com/advisories/GHSA-7xpr-hc2w-34m9"
    }
  ],
  "description": "# CVE-2026-45799\n\n## Maintainer summary\n\nWire's protobuf group-skipping logic did not reject negative lengths before skipping a\nlength-delimited field inside a group. A crafted protobuf payload could cause Wire to throw
…