UBUNTU-CVE-2026-0994
- Source
- https://ubuntu.com/security/CVE-2026-0994
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-0994.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-0994
- Upstream
- Downstream
- Related
- Published
- 2026-01-23T15:16:00Z
- Modified
- 2026-02-28T06:16:59.091824Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
A denial-of-service (DoS) vulnerability exists in google.protobuf.jsonformat.ParseDict() in Python, where the maxrecursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
- References
-
- https://ubuntu.com/security/CVE-2026-0994
- https://www.cve.org/CVERecord?id=CVE-2026-0994
- https://github.com/protocolbuffers/protobuf/pull/25239
- https://github.com/protocolbuffers/protobuf/pull/25586
- https://github.com/protocolbuffers/protobuf/pull/25587
- https://ubuntu.com/security/notices/USN-8063-1
Affected packages
Ubuntu:Pro:18.04:LTS / protobuf
Package
- Name
- protobuf
- Purl
- pkg:deb/ubuntu/protobuf@3.0.0-9.1ubuntu1.1+esm3?arch=source&distro=esm-infra/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.0.0-9ubuntu5
3.0.0-9ubuntu6
3.0.0-9.1ubuntu1
3.0.0-9.1ubuntu1.1
3.0.0-9.1ubuntu1.1+esm3
Ecosystem specific
{
"binaries": [
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "libprotobuf-dev"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "libprotobuf-java"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "libprotobuf-lite10"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "libprotobuf10"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "libprotoc-dev"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "libprotoc10"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "protobuf-compiler"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "python-protobuf"
},
{
"binary_version": "3.0.0-9.1ubuntu1.1+esm3",
"binary_name": "python3-protobuf"
}
]
}
Ubuntu:Pro:20.04:LTS / protobuf
Package
- Name
- protobuf
- Purl
- pkg:deb/ubuntu/protobuf@3.6.1.3-2ubuntu5.2+esm2?arch=source&distro=esm-infra/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.6.1.3-2
3.6.1.3-2ubuntu1
3.6.1.3-2ubuntu3
3.6.1.3-2ubuntu4
3.6.1.3-2ubuntu5
3.6.1.3-2ubuntu5.2
3.6.1.3-2ubuntu5.2+esm2
Ecosystem specific
{
"binaries": [
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "libprotobuf-dev"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "libprotobuf-java"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "libprotobuf-lite17"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "libprotobuf17"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "libprotoc-dev"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "libprotoc17"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "protobuf-compiler"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "python-protobuf"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "python3-protobuf"
},
{
"binary_version": "3.6.1.3-2ubuntu5.2+esm2",
"binary_name": "ruby-google-protobuf"
}
]
}
Ubuntu:22.04:LTS / protobuf
Package
- Name
- protobuf
- Purl
- pkg:deb/ubuntu/protobuf@3.12.4-1ubuntu7.22.04.6?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12.4-1ubuntu7.22.04.6
Affected versions
3.*
3.12.4-1ubuntu3
3.12.4-1ubuntu5
3.12.4-1ubuntu6
3.12.4-1ubuntu7
3.12.4-1ubuntu7.22.04.1
3.12.4-1ubuntu7.22.04.2
3.12.4-1ubuntu7.22.04.4
Ecosystem specific
{
"binaries": [
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "elpa-protobuf-mode"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "libprotobuf-dev"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "libprotobuf-java"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "libprotobuf-lite23"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "libprotobuf23"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "libprotoc-dev"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "libprotoc23"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "protobuf-compiler"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "python3-protobuf"
},
{
"binary_version": "3.12.4-1ubuntu7.22.04.6",
"binary_name": "ruby-google-protobuf"
}
],
"availability": "No subscription required"
}
Ubuntu:24.04:LTS / protobuf
Package
- Name
- protobuf
- Purl
- pkg:deb/ubuntu/protobuf@3.21.12-8.2ubuntu0.3?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.21.12-8.2ubuntu0.3
Affected versions
3.*
3.21.12-7ubuntu1
3.21.12-8ubuntu1
3.21.12-8ubuntu5
3.21.12-8.2
3.21.12-8.2build1
3.21.12-8.2ubuntu0.1
3.21.12-8.2ubuntu0.2
Ecosystem specific
{
"binaries": [
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "elpa-protobuf-mode"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "libprotobuf-dev"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "libprotobuf-java"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "libprotobuf-lite32t64"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "libprotobuf32t64"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "libprotoc-dev"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "libprotoc32t64"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "php-google-protobuf"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "protobuf-compiler"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "python3-protobuf"
},
{
"binary_version": "3.21.12-8.2ubuntu0.3",
"binary_name": "ruby-google-protobuf"
}
],
"availability": "No subscription required"
}
Ubuntu:25.10 / protobuf
Package
- Name
- protobuf
- Purl
- pkg:deb/ubuntu/protobuf@3.21.12-11ubuntu3.1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.21.12-11ubuntu3.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "elpa-protobuf-mode"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "libprotobuf-dev"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "libprotobuf-java"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "libprotobuf-lite32t64"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "libprotobuf32t64"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "libprotoc-dev"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "libprotoc32t64"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "php-google-protobuf"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "protobuf-compiler"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "python3-protobuf"
},
{
"binary_version": "3.21.12-11ubuntu3.1",
"binary_name": "ruby-google-protobuf"
}
],
"availability": "No subscription required"
}