Zero Day MonitorZDM

← Back to list

—

CVE-2026-0994

Red Hat · Red Hat Enterprise Linux

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any message

Description

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Affected Products

Vendor	Product	Versions
Red Hat	Red Hat Enterprise Linux	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
canonical	ubuntu linux	cert_advisory	90%
red hat	enterprise linux	cert_advisory	90%
resf	resf rocky linux	cert_advisory	90%
su	suse opensuse	cert_advisory	90%
su	suse linux	cert_advisory	90%

References

https://github.com/protocolbuffers/protobuf/pull/25239

Related News (2 articles)

Tier B

CERT-FR5d ago

Multiples vulnérabilités dans les produits Splunk (16 avril 2026)

→ No new info (linked only)

Tier B

BSI Advisories19d ago

[UPDATE] [mittel] Red Hat Enterprise Linux (Python Protobuf): Schwachstelle ermöglicht Denial of Service

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-674

PublishedJan 23, 2026

Last enriched19d agov2

Trending Score16

Source articles2

Independent2

Info Completeness6/14

Missing: versions, cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-0966

Libssh: buffer underflow in ssh_get_hexa() on invalid input

NONECVE-2026-40915

Gimp: gimp: heap buffer overflow due to integer overflow in fits image loader

MEDIUMCVE-2026-6383EXP

Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

NONECVE-2026-4424

Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing

MEDIUMCVE-2026-37980

Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Jan 23, 2026

Discovered by ZDM

Apr 1, 2026

Updated: vendor, product

Apr 2, 2026

Version History

v2

Last enriched 19d ago

v2Tier B19d ago

Updated vendor to Red Hat, product to Red Hat Enterprise Linux, changed severity to HIGH, and marked exploit as available and actively exploited.

vendorproduct

via BSI Advisories

v119d ago

Initial creation