CVE-2026-0994
Denial-of-service (DoS) vulnerability in protobuf (PyPI)
What is CVE-2026-0994 About?
This is a denial-of-service vulnerability in google.protobuf.json_format.ParseDict() in Python, where an attacker can bypass recursion limits. Successful exploitation leads to application crashes due to stack exhaustion. This vulnerability appears relatively easy to exploit, requiring only crafted input.
Affected Software
Technical Details
The vulnerability resides in the google.protobuf.json_format.ParseDict() function within Python, specifically when processing nested google.protobuf.Any messages. The intended max_recursion_depth limit is bypassed because the internal Any-handling logic fails to properly account for recursion depth. An attacker can construct a deeply nested structure of Any messages. When ParseDict() attempts to parse this input, the unaccounted recursion bypasses the set limit, causing the Python interpreter's recursion stack to overflow, leading to a RecursionError and subsequent denial of service.
What is the Impact of CVE-2026-0994?
Successful exploitation may allow attackers to cause an application to crash, leading to a denial of service and making the affected system unavailable to legitimate users.
What is the Exploitability of CVE-2026-0994?
Exploitation of this vulnerability is likely low to medium complexity. It requires an attacker to provide specially crafted input to an application that processes protobuf messages using the affected function. No authentication is strictly required, as the vulnerability is triggered by input parsing. Privilege requirements are low, as the attack vector is data input. This is a remote vulnerability as the crafted input can be sent over a network. The main constraint is that the target application must be using the vulnerable version of the library and processing arbitrary protobuf messages from untrusted sources. Risk factors increase if the application publicly exposes an API endpoint that directly consumes protobuf messages.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-0994?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-7gcm-g887-7qv7
- https://github.com/protocolbuffers/protobuf/pull/25239
- https://github.com/protocolbuffers/protobuf
- https://github.com/protocolbuffers/protobuf/issues/25070
- https://nvd.nist.gov/vuln/detail/CVE-2026-0994
- https://github.com/protocolbuffers/protobuf/pull/25239
What are Similar Vulnerabilities to CVE-2026-0994?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2023-38545 , CVE-2022-29007 , CVE-2021-42340 , CVE-2020-13777
