8.2
HIGH CVSS 4.0
CVE-2026-0994
Denial of Service in Python Protobuf
Description

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

INFO

Published Date :

Jan. 23, 2026, 3:16 p.m.

Last Modified :

June 30, 2026, 3:17 a.m.

Remotely Exploit :

Yes !
Affected Products

The following products are affected by CVE-2026-0994 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Google protobuf
1 Protobuf protobuf
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CVSS 4.0 HIGH 14ed7db2-1595-443d-9d34-6215bf890778
CVSS 4.0 HIGH [email protected]
Solution
Update google-protobuf to patch the recursion depth bypass vulnerability in ParseDict().
  • Update the google-protobuf library to the latest version.
  • Apply patches addressing recursion depth accounting.
  • Avoid parsing untrusted deeply nested messages.
  • Monitor system for RecursionError.
Public PoC/Exploit Available at Github

CVE-2026-0994 has a 11 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-0994 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-0994 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Домашнее задание к занятию 5. «Практическое применение Docker»

Updated: 3 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : April 3, 2026, 5:59 a.m. This repo has been linked 7 different CVEs too.

Smart Fitness Trainer – Computer Vision based exercise detection and form analysis using MediaPipe Pose.

Python Dockerfile

Updated: 2 days, 22 hours ago
0 stars 0 fork 0 watcher
Born at : March 31, 2026, 4:43 p.m. This repo has been linked 1 different CVEs too.

A non-allocating lexer for protocol buffers

Dockerfile Makefile Shell C Python C++

Updated: 2 weeks, 2 days ago
4 stars 0 fork 0 watcher
Born at : March 30, 2026, 11:51 p.m. This repo has been linked 2 different CVEs too.

Scan Python dependencies for vulnerabilities with dependency chain tracing

Python Shell

Updated: 2 months, 1 week ago
1 stars 0 fork 0 watcher
Born at : March 30, 2026, 1:56 a.m. This repo has been linked 3 different CVEs too.

github actions for python uv project

Updated: 5 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Jan. 30, 2026, 8:51 p.m. This repo has been linked 1 different CVEs too.

None

Python TypeScript Shell Dockerfile

Updated: 5 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Jan. 27, 2026, 12:09 a.m. This repo has been linked 1 different CVEs too.

Python-based PDF scanner for prompt injection checks suitable for journal editors

Dockerfile Python YARA

Updated: 5 months ago
0 stars 0 fork 0 watcher
Born at : Jan. 26, 2026, 7:59 p.m. This repo has been linked 1 different CVEs too.

AI Code Quality Automation for Claude Code - Trinity Score (眞善美) based analysis with 50-70% cost reduction

ai automation claude code-quality developer-tools llm python

Shell Python Dockerfile JavaScript Go Template

Updated: 5 months ago
1 stars 0 fork 0 watcher
Born at : Jan. 24, 2026, 7:57 p.m. This repo has been linked 5 different CVEs too.

FastBulma: Combines Bulma's CSS utilities with FAST's web components through CSS variables

Shell Python HTML CSS JavaScript

Updated: 5 months, 2 weeks ago
1 stars 0 fork 0 watcher
Born at : Jan. 24, 2026, 10:55 a.m. This repo has been linked 1 different CVEs too.

None

Python Shell HCL

Updated: 5 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Jan. 18, 2026, 1:18 p.m. This repo has been linked 8 different CVEs too.

An attempt to make my own agentic cli.

Python Shell Makefile

Updated: 5 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Dec. 16, 2025, 9:57 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-0994 vulnerability anywhere in the article.

  • Daily CyberSecurity
Critical Command Injection Flaw Hits upKeeper Instant Privilege Access

A critical security vulnerability has been unmasked in upKeeper Instant Privilege Access, a tool designed to give users temporary administrative rights in a controlled, traceable manner. The flaw, tra ... Read more

Published Date: Apr 17, 2026 (2 months, 3 weeks ago)
  • Daily CyberSecurity
Critical 9.8 CVSS Flaw in Pharos Mosaic Controllers Grants Root Access to Unauthenticated Attackers

A security advisory has been issued by CISA regarding a critical vulnerability discovered in Pharos Controls’ Mosaic Show Controller firmware. The flaw, which carries a severity CVSS score of 9.8, cou ... Read more

Published Date: Mar 27, 2026 (3 months, 2 weeks ago)
  • Daily CyberSecurity
The Weekly Breach: 7 Maximum CVSS Flaws and the DarkSword Exploit Unveiled

The past seven days have been an exceptionally busy period for cybersecurity defenders. Between March 16 and March 23, a staggering 1,348 new vulnerabilities were identified and logged. While the shee ... Read more

Published Date: Mar 23, 2026 (3 months, 2 weeks ago)
  • Daily CyberSecurity
CVE-2026-2256: Unpatched Flaw in MS-Agent Lets Hackers Hijack AI Assistants

We are officially entering the era of the “autonomous agent”—smart AI programs that don’t just chat with you, but actually do things on your computer, like organizing files, searching the web, or runn ... Read more

Published Date: Mar 03, 2026 (4 months, 1 week ago)
  • Daily CyberSecurity
Critical Path Traversal Flaw in basic-ftp Exposes Node.js Apps to Arbitrary File Writes

With over 18 million downloads, basic-ftp is a cornerstone utility for Node.js developers, offering a robust, Promise-based API for handling FTP, FTPS over TLS, and bulk directory operations. However, ... Read more

Published Date: Mar 02, 2026 (4 months, 1 week ago)
  • Daily CyberSecurity
CISA Warns of Unpatched Avation & RISS Critical Flaws

In a concerning update for the operational technology (OT) sector, the Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts for two distinct critical infrastructure devices where ... Read more

Published Date: Feb 05, 2026 (5 months, 1 week ago)
  • Daily CyberSecurity
Broadcast Hijack: Critical KiloView Flaw (CVSS 9.8) Grants Full Control

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert regarding a maximum-severity vulnerability in KiloView, a popular brand of video encoding and streaming dev ... Read more

Published Date: Feb 03, 2026 (5 months, 1 week ago)
  • Daily CyberSecurity
CVE-2026-24002: Critical Sandbox Escape Turns Grist Spreadsheets into RCE Weapons

A seemingly innocent spreadsheet formula could be the key to compromising entire organizations, thanks to a critical vulnerability uncovered by Cyera Research Labs in Grist-Core. The flaw, tracked as ... Read more

Published Date: Jan 29, 2026 (5 months, 1 week ago)
  • Daily CyberSecurity
CVE-2026-23830: Critical SandboxJS Flaw (CVSS 10) Allows Total Sandbox Escape

A perfect storm of missing checks has led to a maximum-severity vulnerability in SandboxJS, a library designed to safely execute untrusted JavaScript code. Tracked as CVE-2026-23830, the flaw carries ... Read more

Published Date: Jan 29, 2026 (5 months, 1 week ago)
  • Daily CyberSecurity
CVE-2025-14988: Critical 9.8 Vulnerability hits ibaPDA Industrial Software

A critical security vulnerability has been identified in ibaPDA, a core data acquisition system used in industrial environments to monitor and analyze process data. Tracked as CVE-2025-14988, the flaw ... Read more

Published Date: Jan 29, 2026 (5 months, 1 week ago)
  • Daily CyberSecurity
High-Severity DoS Flaw Hits Google Protocol Buffers (CVE-2026-0994)

A high-severity vulnerability has been discovered in Protocol Buffers (protobuf), Google’s widely used mechanism for serializing structured data. The flaw, tracked as CVE-2026-0994, affects Python imp ... Read more

Published Date: Jan 27, 2026 (5 months, 2 weeks ago)
  • Daily CyberSecurity
“Repo Squatting”: How Hackers Are Using GitHub’s Own Features to Hijack Official Repos

In a clever twist on software supply chain attacks, threat actors are weaponizing a quirk in GitHub’s architecture to distribute malware that appears to come from trusted, official sources. A new repo ... Read more

Published Date: Jan 27, 2026 (5 months, 2 weeks ago)

The following table lists the changes that have been made to the CVE-2026-0994 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

    Jun. 30, 2026

    Action Type Old Value New Value
    Added Affected [{'cpes': ['cpe:/a:redhat:ansible_automation_platform:2.5::el8', 'cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8', 'cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2.5 for RHEL 8', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:ansible_automation_platform:2.5::el9', 'cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9', 'cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2.5 for RHEL 9', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:ansible_automation_platform:2.6::el9', 'cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9', 'cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2.6 for RHEL 9', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux_eus:10.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v. 10.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:10.1'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 10)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.0::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.9.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.2::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.9.2)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.4::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v.9.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v.9.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:9::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 9)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux_eus:10.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:10.1'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.4::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat CodeReady Linux Builder EUS (v.9.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.6::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat CodeReady Linux Builder EUS (v.9.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:9::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:ai_inference_server:3.2::el9'], 'vendor': 'Red Hat', 'product': 'Red Hat AI Inference Server 3.2', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:ai_inference_server:3.3::el9'], 'vendor': 'Red Hat', 'product': 'Red Hat AI Inference Server 3.3', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:ansible_automation_platform:2.6::el10', 'cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2.6 for RHEL 10', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:amq_clients:2023'], 'vendor': 'Red Hat', 'product': 'Red Hat AMQ Clients', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:ansible_automation_platform:2'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:hummingbird:1'], 'vendor': 'Red Hat', 'product': 'Red Hat Hardened Images', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openstack:16.2'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenStack Platform 16.2', 'defaultStatus': 'unaffected'}]
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-674
    Added Reference https://access.redhat.com/errata/RHSA-2026:16174
    Added Reference https://access.redhat.com/errata/RHSA-2026:3059
    Added Reference https://access.redhat.com/errata/RHSA-2026:3094
    Added Reference https://access.redhat.com/errata/RHSA-2026:3095
    Added Reference https://access.redhat.com/errata/RHSA-2026:3097
    Added Reference https://access.redhat.com/errata/RHSA-2026:3218
    Added Reference https://access.redhat.com/errata/RHSA-2026:3219
    Added Reference https://access.redhat.com/errata/RHSA-2026:3220
    Added Reference https://access.redhat.com/errata/RHSA-2026:3461
    Added Reference https://access.redhat.com/errata/RHSA-2026:3462
    Added Reference https://access.redhat.com/errata/RHSA-2026:3958
    Added Reference https://access.redhat.com/errata/RHSA-2026:3959
    Added Reference https://access.redhat.com/errata/RHSA-2026:8746
    Added Reference https://access.redhat.com/errata/RHSA-2026:8747
    Added Reference https://access.redhat.com/errata/RHSA-2026:8748
    Added Reference https://access.redhat.com/security/cve/CVE-2026-0994
    Added Reference https://bugzilla.redhat.com/show_bug.cgi?id=2432398
    Added Reference https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-0994.json
  • CVE Modified by [email protected]

    Jun. 17, 2026

    Action Type Old Value New Value
    Added Affected [{'vendor': 'Python', 'product': 'Protobuf', 'versions': [{'status': 'affected', 'version': '<=v33.4', 'versionType': 'custom'}], 'defaultStatus': 'unaffected'}]
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 17, 2026

    Action Type Old Value New Value
    Added SSVC {'id': 'CVE-2026-0994', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'yes'}, {'technicalImpact': 'partial'}], 'version': '2.0.3', 'timestamp': '2026-01-23T15:33:48.514298Z'}
  • Initial Analysis by [email protected]

    Apr. 09, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Added CPE Configuration OR *cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:* versions up to (including) 33.4
    Added Reference Type Google Inc.: https://github.com/protocolbuffers/protobuf/pull/25239 Types: Patch, Vendor Advisory
  • New CVE Received by [email protected]

    Jan. 23, 2026

    Action Type Old Value New Value
    Added Description A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
    Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-674
    Added Reference https://github.com/protocolbuffers/protobuf/pull/25239
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.