CVE-2026-0994

CVSS v4.0

8.2

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions google.protobuf (affected versions not specified)

Description A denial-of-service (DoS) issue exists in the

ParseDict()

function within google.protobuf.json format in Python. The vulnerability occurs because the

max recursion depth

limit can be bypassed when parsing nested google.protobuf.Any messages. Specifically, missing recursion depth accounting within the internal Any-handling logic allows an attacker to supply deeply nested Any structures that circumvent the intended recursion limit. This can exhaust Python’s recursion stack, resulting in a RecursionError.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

CVE-2026-0994

Affected Products

Google.Protobuf

CVE-2026-0994

Weakness Enumeration

Related Identifiers

Affected Products

References · 3