CVE-2026-0994: Denial of Service in Python Protobuf
Published Jan 23, 2026
·Updated
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Affected Software
5 affected componentsFixes available
pypi/protobuf
pip/protobuf<=6.33.4
6.33.5
Google Protobuf<=33.4
IBM watsonx.data intelligence<=5.2.0, 5.2.1, 5.3.0, 5.3.1
debian/protobuf<=3.12.4-1+deb11u1, <=3.21.12-3, <=3.21.12-11, <=3.21.12-15
Remediation
Patch Available
Event History
Jan 23, 2026
CVE Published
via MITRE·02:55 PM
Data Sourced
via MITRE·02:55 PM
DescriptionWeakness
Data Sourced
via NVD·03:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·03:31 PM
Data Sourced
via GitHub·03:31 PM
DescriptionWeaknessAffected Software
Data Sourced
via Red Hat·04:03 PM
DescriptionSeverityAffected Software
Apr 27, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
May 26, 2026
Data Sourced
via Ubuntu·09:10 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·09:11 PM
Description
Data Sourced
via Debian·09:11 PM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-0994?
CVE-2026-0994 has a medium severity rating due to its potential to cause denial of service.
2
How do I fix CVE-2026-0994?
To mitigate CVE-2026-0994, update the protobuf package to version 6.34 or later.
3
Which versions of protobuf are affected by CVE-2026-0994?
CVE-2026-0994 affects protobuf versions up to and including 6.33.4.
4
What kind of attack does CVE-2026-0994 facilitate?
CVE-2026-0994 can be leveraged to execute denial of service attacks through excessive recursion in parsing nested messages.
5
Is there a workaround for CVE-2026-0994 if I can't update immediately?
If an update is not possible, avoid parsing deeply nested google.protobuf.Any messages to reduce the risk of hitting the recursion limit.