CVE-2026-0994 — Uncontrolled Recursion in Google Protobuf

CWE-674 — Uncontrolled Recursion10 documents9 sources

Severity

8.2HIGHNVD

EPSS

0.0%

top 97.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Protobuf Python Protobuf

Timeline

PublishedJan 23

Latest updateFeb 25

Description

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected Packages3 packages

▶PyPIgoogle/protobuf6.30.0rc1 — 6.33.5+1

▶NVDgoogle/protobuf33.4

▶CVEListV5python/protobuf<=v33.4

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Denial of Service in Python Protobuf↗2026-01-23

▶

OSV

CVE-2026-0994: A denial-of-service (DoS) vulnerability exists in google↗2026-01-23

▶

OSV

protobuf affected by a JSON recursion depth bypass↗2026-01-23

▶

GHSA

protobuf affected by a JSON recursion depth bypass↗2026-01-23

▶

📋Vendor Advisories

Ubuntu

Protocol Buffers vulnerability↗2026-02-25

▶

Red Hat

python: protobuf: Protobuf: Denial of Service due to recursion depth bypass↗2026-01-23

▶

Debian

CVE-2026-0994: protobuf - A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.Pa...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0994 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-0994 python: protobuf: Protobuf: Denial of Service due to recursion depth bypass↗2026-01-23

▶