{"id":"CVE-2026-0994","details":"A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.","aliases":["GHSA-7gcm-g887-7qv7"],"modified":"2026-04-02T17:30:16.823322492Z","published":"2026-01-23T15:16:06.840Z","related":["ALSA-2026:3094","ALSA-2026:3095","CGA-jgjc-r94m-fgp2","SUSE-SU-2026:0374-1","SUSE-SU-2026:0517-1","SUSE-SU-2026:0563-1","SUSE-SU-2026:0618-1","SUSE-SU-2026:20352-1","SUSE-SU-2026:20490-1","SUSE-SU-2026:20753-1","SUSE-SU-2026:20907-1","openSUSE-SU-2026:20390-1"],"references":[{"type":"FIX","url":"https://github.com/protocolbuffers/protobuf/pull/25239"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-0994.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}