Source: protobuf Version: 3.21.12-15 Severity: important Tags: security upstream Forwarded: https://github.com/protocolbuffers/protobuf/issues/25070 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for protobuf. Filling a bug mainlly for tracking for now the upstream issue. Need closer assessment. CVE-2026-0994[0]: | A denial-of-service (DoS) vulnerability exists in | google.protobuf.json_format.ParseDict() in Python, where the | max_recursion_depth limit can be bypassed when parsing nested | google.protobuf.Any messages. Due to missing recursion depth | accounting inside the internal Any-handling logic, an attacker can | supply deeply nested Any structures that bypass the intended | recursion limit, eventually exhausting Python’s recursion stack and | causing a RecursionError. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-0994 https://www.cve.org/CVERecord?id=CVE-2026-0994 [1] https://github.com/protocolbuffers/protobuf/issues/25070 [2] https://github.com/protocolbuffers/protobuf/pull/25239 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
