Security Advisory

CVE-2026-0994

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-01-23 14:55:16

Last updated 2026-01-30 14:28:11

Assigner Google

State PUBLISHED

Description

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

← Browse all CVEs View on cve.org ↗