CVE-2026-0994

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/protocolbuffers/protobuf/pull/25239	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*

History

09 Apr 2026, 14:19

Type	Values Removed	Values Added
Summary		(es) Hay una vulnerabilidad de denegación de servicio (DoS) en google.protobuf.json_format.ParseDict() en Python, donde el límite max_recursion_depth puede ser evitado al analizar mensajes anidados de google.protobuf.Any. Debido a que no se contabiliza la profundidad de recursión dentro de la lógica interna de manejo de Any, un atacante puede proporcionar estructuras Any profundamente anidadas que evitan el límite de recursión previsto, agotando finalmente la pila de recursión de Python y causando un RecursionError.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/protocolbuffers/protobuf/pull/25239 -~~	() https://github.com/protocolbuffers/protobuf/pull/25239 - Patch, Vendor Advisory
First Time		Google protobuf Google
CPE		cpe:2.3:a:google:protobuf::::::::

23 Jan 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-23 15:16

Updated : 2026-04-09 14:19

NVD link : CVE-2026-0994

Mitre link : CVE-2026-0994

CVE.ORG link : CVE-2026-0994

JSON object : View

Products Affected

google

protobuf

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2026-0994", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-23T15:16:06.840", "references": [{"url": "https://github.com/protocolbuffers/protobuf/pull/25239", "tags": ["Patch", "Vendor Advisory"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python\u2019s recursion stack and causing a RecursionError."}, {"lang": "es", "value": "Hay una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en google.protobuf.json_format.ParseDict() en Python, donde el l\u00edmite max_recursion_depth puede ser evitado al analizar mensajes anidados de google.protobuf.Any.\n\nDebido a que no se contabiliza la profundidad de recursi\u00f3n dentro de la l\u00f3gica interna de manejo de Any, un atacante puede proporcionar estructuras Any profundamente anidadas que evitan el l\u00edmite de recursi\u00f3n previsto, agotando finalmente la pila de recursi\u00f3n de Python y causando un RecursionError."}], "lastModified": "2026-04-09T14:19:17.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF0F8C1C-5CDF-4758-864F-FFF2CBF7B00C", "versionEndIncluding": "33.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}