Denial-of-Service Vulnerability in Google Protocol Buffers by Google
CVE-2026-0994

8.2HIGH

Key Information:

Vendor: Python
Status: Protobuf
Vendor: CVE Published:; 23 January 2026

What is CVE-2026-0994?

A denial-of-service vulnerability has been identified in the Google Protocol Buffers library, specifically within the json_format.ParseDict() method in Python. This issue arises from a flaw in handling recursion depth when processing nested google.protobuf.Any messages. Attackers can craft deeply nested Any structures that exceed the allowable recursion depth, leading to a potential exhaustion of Python's recursion stack, ultimately resulting in a RecursionError. Proper safeguards and updates are necessary to mitigate this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Protobuf <=v33.4

References

https://github.com/protocolbuffers/protobuf/pull/25239

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 23, 2026
Vulnerability Reserved
Jan 15, 2026

JSON

Python

What is CVE-2026-0994?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.