CVE-2026-0994
Denial of Service in Python Protobuf
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Pythonβs recursion stack and causing a RecursionError.
| CWE | CWE-674 |
| Vendor | python |
| Product | protobuf |
| Ecosystems | |
| Industries | Technology |
| Published | Jan 23, 2026 |
| Last Updated | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for python protobuf
Be the first to know when new high vulnerabilities affecting python protobuf are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
Python / Protobuf
<=v33.4
References
github.com: https://github.com/protocolbuffers/protobuf/pull/25239 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-0994 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2432398 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-0994.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3959 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3958 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3218 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3094 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3097 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3220 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3059 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3219 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3095 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3461 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3462 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:8748 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:8746 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:8747 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:16174