{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-0994","assignerOrgId":"14ed7db2-1595-443d-9d34-6215bf890778","state":"PUBLISHED","assignerShortName":"Google","dateReserved":"2026-01-15T15:16:22.904Z","datePublished":"2026-01-23T14:55:16.876Z","dateUpdated":"2026-06-30T12:07:10.896Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Protobuf","vendor":"Python","versions":[{"status":"affected","version":"<=v33.4","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.</span><br><br><span style=\"background-color: rgb(255, 255, 255);\">Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.</span><br>"}],"value":"A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError."}],"impacts":[{"capecId":"CAPEC-147","descriptions":[{"lang":"en","value":"CAPEC-147: XML Nested Entity Expansion"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":8.2,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-674","description":"CWE-674: Uncontrolled Recursion","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"14ed7db2-1595-443d-9d34-6215bf890778","shortName":"Google","dateUpdated":"2026-01-30T14:28:11.435Z"},"references":[{"url":"https://github.com/protocolbuffers/protobuf/pull/25239"}],"source":{"discovery":"UNKNOWN"},"title":"Denial of Service in Python Protobuf","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-23T15:33:48.514298Z","id":"CVE-2026-0994","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-23T15:34:38.915Z"}},{"affected":[{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el8","cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8","cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el9","cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9","cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9","cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9","cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.6 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.1"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.0::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.0)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.2::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.2)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.1"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.4::crb"],"defaultStatus":"affected","product":"Red Hat CodeReady Linux Builder EUS (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::crb"],"defaultStatus":"affected","product":"Red Hat CodeReady Linux Builder EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3.2::el9"],"defaultStatus":"affected","product":"Red Hat AI Inference Server 3.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3.3::el9"],"defaultStatus":"affected","product":"Red Hat AI Inference Server 3.3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el10","cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"],"defaultStatus":"unaffected","product":"Red Hat Ansible Automation Platform 2.6 for RHEL 10","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_clients:2023"],"defaultStatus":"unaffected","product":"Red Hat AMQ Clients","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"unaffected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:16.2"],"defaultStatus":"unaffected","product":"Red Hat OpenStack Platform 16.2","vendor":"Red Hat"}],"datePublic":"2026-01-23T14:55:16.876Z","descriptions":[{"lang":"en","value":"A flaw was found in protobuf. A remote attacker can exploit this denial-of-service (DoS) vulnerability by supplying deeply nested `google.protobuf.Any` messages to the `google.protobuf.json_format.ParseDict()` function. This bypasses the intended recursion depth limit, leading to the exhaustion of Python’s recursion stack and causing a `RecursionError`, which results in a denial of service."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-674","description":"Uncontrolled Recursion","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-0994"},{"name":"RHBZ#2432398","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2432398"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-0994.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3959"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3958"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3218"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3094"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3097"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3220"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3059"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3219"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3095"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3461"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3462"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8748"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8746"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8747"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:16174"}],"solutions":[{"lang":"en","value":"RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"},{"lang":"en","value":"RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9"},{"lang":"en","value":"RHSA-2026:3218: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:3094: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:3097: Red Hat Enterprise Linux AppStream E4S (v.9.0)"},{"lang":"en","value":"RHSA-2026:3220: Red Hat Enterprise Linux AppStream E4S (v.9.2)"},{"lang":"en","value":"RHSA-2026:3059: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"},{"lang":"en","value":"RHSA-2026:3219: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"},{"lang":"en","value":"RHSA-2026:3095: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"},{"lang":"en","value":"RHSA-2026:3461: Red Hat AI Inference Server 3.2"},{"lang":"en","value":"RHSA-2026:3462: Red Hat AI Inference Server 3.2"},{"lang":"en","value":"RHSA-2026:8748: Red Hat AI Inference Server 3.3"},{"lang":"en","value":"RHSA-2026:8746: Red Hat AI Inference Server 3.3"},{"lang":"en","value":"RHSA-2026:8747: Red Hat AI Inference Server 3.3"},{"lang":"en","value":"RHSA-2026:16174: Red Hat AI Inference Server 3.3"}],"timeline":[{"lang":"en","time":"2026-01-23T16:02:59.235Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-01-23T14:55:16.876Z","value":"Made public."}],"title":"python: protobuf: Protobuf: Denial of Service due to recursion depth bypass","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:10.896Z"}}]}}