PatchSiren cyber security CVE debrief
CVE-2026-0994 Google CVE debrief
CVE-2026-0994 is a denial-of-service (DoS) vulnerability in Google Protobuf, specifically in the google.protobuf.json_format.ParseDict() function in Python. The vulnerability allows an attacker to bypass the max_recursion_depth limit when parsing nested google.protobuf.Any messages, leading to a RecursionError. This vulnerability was published on January 23, 2026, and modified on June 30, 2026. The CVSS score is 8.2, indicating a high severity. The vulnerability affects Google Protobuf versions up to 33.4.
- Vendor
- Product
- Protobuf
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-23
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-23
- Advisory updated
- 2026-06-30
Who should care
Organizations using Google Protobuf in their applications should be aware of this vulnerability and take steps to mitigate it. Specifically, developers who use Google Protobuf in their Python applications should review their code to ensure that it is not vulnerable to this attack. Additionally, security teams should prioritize patching this vulnerability to prevent potential denial-of-service attacks.
Technical summary
The vulnerability exists in the google.protobuf.json_format.ParseDict() function in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. This is due to missing recursion depth accounting inside the internal Any-handling logic. An attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError. The vulnerability has a CVSS score of 8.2 and is classified as a denial-of-service (DoS) vulnerability.
Defensive priority
High priority should be given to patching this vulnerability, as it can be exploited to cause a denial-of-service attack. Developers should review their code to ensure that it is not vulnerable to this attack, and security teams should prioritize patching this vulnerability.
Recommended defensive actions
- Apply the patch from https://github.com/protocolbuffers/protobuf/pull/25239
- Review and update Google Protobuf to a version that is not vulnerable
- Implement additional security measures to prevent denial-of-service attacks
- Monitor and track potential attacks exploiting this vulnerability
- Update inventory to reflect vulnerable and patched systems
Evidence notes
The vulnerability was published on January 23, 2026, and modified on June 30, 2026. The CVSS score is 8.2, indicating a high severity. The vulnerability affects Google Protobuf versions up to 33.4. There are multiple references and errata from Red Hat related to this vulnerability.
Official resources
-
CVE-2026-0994 CVE record
CVE.org
-
CVE-2026-0994 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.