CVE-2026-0994
Published: January 23rd, 2026
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Unknown
CVSS v2:
CVSS v2:
Status
| DocFilters Release | Package | State | Justification | Comment |
|---|---|---|---|---|
| 0.0.0.1 | protobuf (3.0.0) | Not Affected | Code Not Present | CVE-2026-0994 affects the Python protobuf package (pip: protobuf <= 6.33.4), specifically the json_format.ParseDict() function. Document Filters uses the C++ protobuf library v3.0.0 compiled from source. The vulnerable Python json_format module is not compiled, bundled, or used by Document Filters. |
| 26.1.1 | protobuf (3.0.0) | Not Affected | Code Not Present | CVE-2026-0994 affects the Python protobuf package (pip: protobuf <= 6.33.4), specifically the json_format.ParseDict() function. Document Filters uses the C++ protobuf library v3.0.0 compiled from source. The vulnerable Python json_format module is not compiled, bundled, or used by Document Filters. |
| 26.1 | protobuf (3.0.0) | Not Affected | Code Not Present | CVE-2026-0994 affects the Python protobuf package (pip: protobuf <= 6.33.4), specifically the json_format.ParseDict() function. Document Filters uses the C++ protobuf library v3.0.0 compiled from source. The vulnerable Python json_format module is not compiled, bundled, or used by Document Filters. |
| 25.4 | protobuf (3.0.0) | Needs Triage | ||
| 25.3 | protobuf (3.0.0) | Needs Triage | ||
| 25.2 | protobuf (3.0.0) | Needs Triage | ||
| 25.1.2 | protobuf (3.0.0) | Not Affected | Code Not Present | CVE-2026-0994 affects the Python protobuf package (pip: protobuf <= 6.33.4), specifically the json_format.ParseDict() function. Document Filters uses the C++ protobuf library v3.0.0 compiled from source. The vulnerable Python json_format module is not compiled, bundled, or used by Document Filters. |
| 25.1.1 | protobuf (3.0.0) | Needs Triage | ||
| 25.1 | protobuf (3.0.0) | Needs Triage | ||
| 24.4 | protobuf (3.0.0) | Needs Triage | ||
| 24.4.0 | protobuf (3.0.0) | Needs Triage | ||
| 24.3 | protobuf (3.0.0) | Needs Triage | ||
| 24.2.1 | protobuf (3.0.0) | Needs Triage | ||
| 24.2 | protobuf (3.0.0) | Needs Triage | ||
| 24.1 | protobuf (3.0.0) | Needs Triage | ||
| 23.3 | protobuf (3.0.0) | Needs Triage | ||
| 23.2.1 | protobuf (3.0.0) | Needs Triage | ||
| 23.2 | protobuf (3.0.0) | Needs Triage | ||
| 23.1 | protobuf (3.0.0) | Needs Triage | ||
| 22.4 | protobuf (3.0.0) | Needs Triage | ||
| 22.3 | protobuf (3.0.0) | Needs Triage | ||
| 22.2 | protobuf (3.0.0) | Needs Triage | ||
| 22.1 | protobuf (3.0.0) | Needs Triage | ||
| 21.11.1 | protobuf (3.0.0) | Needs Triage | ||
| 21.11 | protobuf (3.0.0) | Needs Triage | ||
| 21.8.1 | protobuf (3.0.0) | Needs Triage | ||
| 21.8 | protobuf (3.0.0) | Needs Triage | ||
| 21.5.1 | protobuf (3.0.0) | Needs Triage | ||
| 21.5.0 | protobuf (3.0.0) | Needs Triage | ||
| 21.2.0 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.20 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.19.3667 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.18.3599 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.17 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.16.3445 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.15.3368 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.14.3263 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.13.3179 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.12.3054 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.11.3040 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.11.2990 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.10.2934 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.9.2878 | protobuf (3.0.0) | Needs Triage | ||
| 11.4.8.2822 | protobuf (3.0.0) | Needs Triage |