CVE-2026-0994
EUVD-2026-432223.01.2026, 15:16
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| protobuf | 𝑥 ≤ 33.4 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libprotobuf-lite20 |
| ||||||||||||||
| libprotobuf-lite25_1_0 |
| ||||||||||||||
| libprotobuf20 |
| ||||||||||||||
| libprotobuf25_1_0 |
| ||||||||||||||
| libprotoc20 |
| ||||||||||||||
| libprotoc25_1_0 |
| ||||||||||||||
| protobuf-devel |
| ||||||||||||||
| python3-protobuf |
| ||||||||||||||
| python311-protobuf |
|
Red Hat Enterprise Linux Releases
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| protobuf |
| ||
| protobuf-compiler |
| ||
| protobuf-compiler-debuginfo |
| ||
| protobuf-debuginfo |
| ||
| protobuf-debugsource |
| ||
| protobuf-devel |
| ||
| protobuf-emacs |
| ||
| protobuf-lite |
| ||
| protobuf-lite-debuginfo |
| ||
| protobuf-lite-devel |
| ||
| protobuf-lite-static |
| ||
| protobuf-static |
| ||
| protobuf-vim |
| ||
| python3-protobuf |
| ||
| python3-protobuf-debuginfo |
|
Azure Linux Releases
Common Weakness Enumeration
References