Home > Vulnerability Database > CVE-2026-0994

Mend.io Vulnerability Database

CVE-2026-0994

Good to know:

Date: January 23, 2026

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Severity Score

8.6

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-0994

Url: https://github.com/protocolbuffers/protobuf/issues/25070

Url: https://github.com/protocolbuffers/protobuf/pull/25239

Url: https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b

Url: https://github.com/protocolbuffers/protobuf

Url: https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf

Url: https://www.mend.io/vulnerability-database/CVE-2026-0994

Severity Score

8.6

Weakness Type (CWE)

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version protobuf - 6.33.5;protobuf - 5.29.6;protobuf - 6.33.5;https://github.com/protocolbuffers/protobuf.git - v33.5;https://github.com/protocolbuffers/protobuf.git - v5.29.6

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-0994

Good to know:

Date: January 23, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?