DEBIAN-CVE-2026-0994

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-0994

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0994.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-0994

Upstream

CVE-2026-0994

Published

2026-01-23T15:16:06.840Z

Modified

2026-01-24T11:01:10.705124Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.jsonformat.ParseDict() in Python, where the maxrecursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

References

https://security-tracker.debian.org/tracker/CVE-2026-0994

Affected packages

Debian:11 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.12.4-1

3.12.4-1+deb11u1

3.14.0-1

3.17.1-1

3.17.2-1

3.17.3-1

3.17.3-2

3.18.0~rc1-1

3.18.0~rc2-1

3.18.0-1

3.18.1-1

3.19.0-1

3.19.1-1

3.19.3-1

3.19.4-1

3.20.0~rc1-1

3.20.0~rc2-1

3.20.0-1

3.20.1~rc1-1

3.20.1-1

3.20.2-1

3.21.6-1

3.21.7-1

3.21.8-1

3.21.9-1

3.21.9-2

3.21.9-3

3.21.9-4

3.21.9-5

3.21.10-1

3.21.11-1

3.21.12-1

3.21.12-2

3.21.12-2+exp1

3.21.12-3

3.21.12-4

3.21.12-5

3.21.12-6

3.21.12-7

3.21.12-8

3.21.12-8.1

3.21.12-8.2

3.21.12-9

3.21.12-10

3.21.12-11

3.21.12-12

3.21.12-13

3.21.12-14

3.21.12-15

3.25.1-1

3.25.2-1

3.25.3-1

3.25.4-1

3.25.4-2

3.25.4-3

3.25.4-4

3.25.7-1

4.*

4.0.0~rc1-1

4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0994.json"

Debian:12 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.12-3

3.21.12-4

3.21.12-5

3.21.12-6

3.21.12-7

3.21.12-8

3.21.12-8.1

3.21.12-8.2

3.21.12-9

3.21.12-10

3.21.12-11

3.21.12-12

3.21.12-13

3.21.12-14

3.21.12-15

3.25.1-1

3.25.2-1

3.25.3-1

3.25.4-1

3.25.4-2

3.25.4-3

3.25.4-4

3.25.7-1

4.*

4.0.0~rc1-1

4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0994.json"

Debian:13 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.12-11

3.21.12-12

3.21.12-13

3.21.12-14

3.21.12-15

3.25.1-1

3.25.2-1

3.25.3-1

3.25.4-1

3.25.4-2

3.25.4-3

3.25.4-4

3.25.7-1

4.*

4.0.0~rc1-1

4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0994.json"

Debian:14 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.12-11

3.21.12-12

3.21.12-13

3.21.12-14

3.21.12-15

3.25.1-1

3.25.2-1

3.25.3-1

3.25.4-1

3.25.4-2

3.25.4-3

3.25.4-4

3.25.7-1

4.*

4.0.0~rc1-1

4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0994.json"