CVE-2026-0994

CVSS v4.0

8.2

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions google.protobuf (affected versions not specified)

Description A denial-of-service (DoS) issue exists in the

ParseDict()

function within google.protobuf.json format in Python. The vulnerability occurs because the

max recursion depth

limit can be bypassed when parsing nested google.protobuf.Any messages. Specifically, missing recursion depth accounting within the internal Any-handling logic allows an attacker to supply deeply nested Any structures that circumvent the intended recursion limit. This can exhaust Python’s recursion stack, resulting in a RecursionError.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

ALSA-2026:3094

ALSA-2026:3095

CVE-2026-0994

ECHO-1995-FF5E-CE0C

GHSA-7GCM-G887-7QV7

RHSA-2026:3059

RHSA-2026:3094

RHSA-2026:3095

RHSA-2026:3097

RHSA-2026:3218

RHSA-2026:3219

RHSA-2026:3220

RHSA-2026:3958

RHSA-2026:3959

SUSE-SU-2026:0563-1

SUSE-SU-2026:0618-1

USN-8063-1

Affected Products

Linuxmint

Ubuntu

Google.Protobuf

CVE-2026-0994

Weakness Enumeration

Related Identifiers

Affected Products

References · 43