CVE-2026-0994

Publication date 23 January 2026

Last updated 28 January 2026

Ubuntu priority

Description

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
protobuf	25.10 questing	Vulnerable, fix deferred
	24.04 LTS noble	Vulnerable, fix deferred
	22.04 LTS jammy	Vulnerable, fix deferred
	20.04 LTS focal	Vulnerable, fix deferred
	18.04 LTS bionic	Vulnerable, fix deferred
	16.04 LTS xenial	Vulnerable, fix deferred
	14.04 LTS trusty	Vulnerable, fix deferred

Notes

mdeslaur

as of 2026-01-27, the fix has not yet been accepted into the uptream protobuf repo

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
protobuf	Upstream: https://github.com/protocolbuffers/protobuf/pull/25239

References

Other references

https://www.cve.org/CVERecord?id=CVE-2026-0994