PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0994 Google CVE debrief

CVE-2026-0994 is a denial-of-service (DoS) vulnerability in Google Protobuf, specifically in the google.protobuf.json_format.ParseDict() function in Python. The vulnerability allows an attacker to bypass the max_recursion_depth limit when parsing nested google.protobuf.Any messages, leading to a RecursionError. This vulnerability was published on January 23, 2026, and modified on June 30, 2026. The CVSS score is 8.2, indicating a high severity. The vulnerability affects Google Protobuf versions up to 33.4.

Vendor
Google
Product
Protobuf
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-23
Original CVE updated
2026-06-30
Advisory published
2026-01-23
Advisory updated
2026-06-30

Who should care

Organizations using Google Protobuf in their applications should be aware of this vulnerability and take steps to mitigate it. Specifically, developers who use Google Protobuf in their Python applications should review their code to ensure that it is not vulnerable to this attack. Additionally, security teams should prioritize patching this vulnerability to prevent potential denial-of-service attacks.

Technical summary

The vulnerability exists in the google.protobuf.json_format.ParseDict() function in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. This is due to missing recursion depth accounting inside the internal Any-handling logic. An attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError. The vulnerability has a CVSS score of 8.2 and is classified as a denial-of-service (DoS) vulnerability.

Defensive priority

High priority should be given to patching this vulnerability, as it can be exploited to cause a denial-of-service attack. Developers should review their code to ensure that it is not vulnerable to this attack, and security teams should prioritize patching this vulnerability.

Recommended defensive actions

  • Apply the patch from https://github.com/protocolbuffers/protobuf/pull/25239
  • Review and update Google Protobuf to a version that is not vulnerable
  • Implement additional security measures to prevent denial-of-service attacks
  • Monitor and track potential attacks exploiting this vulnerability
  • Update inventory to reflect vulnerable and patched systems

Evidence notes

The vulnerability was published on January 23, 2026, and modified on June 30, 2026. The CVSS score is 8.2, indicating a high severity. The vulnerability affects Google Protobuf versions up to 33.4. There are multiple references and errata from Red Hat related to this vulnerability.

Official resources

This article was generated with AI assistance based on the supplied source corpus.