CVE-2026-0994 is a denial-of-service vulnerability identified in the Python implementation of Google’s Protocol Buffers (Protobuf) library, specifically within the json_format.ParseDict() function. The vulnerability stems from the improper handling of recursion depth when parsing nested google.protobuf.Any messages. Normally, Protobuf enforces a maximum recursion depth to prevent stack overflows and excessive resource consumption. However, due to missing recursion depth accounting inside the internal logic that handles Any types, an attacker can craft deeply nested Any message structures that bypass this recursion limit. When such maliciously crafted input is parsed, it causes Python’s recursion stack to be exhausted, resulting in a RecursionError that crashes or disrupts the affected application. This vulnerability affects all Python Protobuf versions up to and including v33.4. The attack vector is network-based and does not require authentication or user interaction, making it relatively easy to exploit remotely. Although no known exploits have been observed in the wild yet, the high CVSS score of 8.2 reflects the significant impact potential. The vulnerability is categorized under CWE-674 (Uncontrolled Recursion), highlighting the failure to properly limit recursion depth in the code. The lack of patch links indicates that a fix may still be pending or recently released. Organizations relying on Python Protobuf for JSON message parsing, especially those processing untrusted input, are vulnerable to denial-of-service attacks that can degrade service availability and reliability.

For European organizations, the primary impact of CVE-2026-0994 is the risk of denial-of-service conditions in applications and services that utilize Python Protobuf for parsing JSON-formatted protobuf messages. This can lead to application crashes, service outages, and potential disruption of critical business operations, especially in sectors relying heavily on automated data processing and inter-service communication. The vulnerability’s ease of exploitation without authentication or user interaction increases the risk of opportunistic attacks. Organizations in finance, healthcare, telecommunications, and government sectors, which often use Python and Protobuf for data serialization and communication, may face operational disruptions. Additionally, service providers hosting APIs or microservices that parse protobuf JSON data are at risk of being targeted to cause cascading failures. The impact on confidentiality and integrity is minimal, as the vulnerability primarily affects availability. However, denial-of-service attacks can indirectly affect trust and compliance with service level agreements and regulatory requirements. The potential for widespread disruption is heightened in environments with extensive use of Python Protobuf, especially if input validation is insufficient.

1. Upgrade Python Protobuf to a patched version beyond v33.4 once it becomes available from the official maintainers to ensure the recursion depth checks are properly enforced. 2. Implement strict input validation and limit the depth of nested Any messages at the application layer before parsing to prevent maliciously crafted payloads from reaching the vulnerable code path. 3. Employ runtime monitoring and anomaly detection to identify unusual parsing behavior or spikes in recursion depth that may indicate exploitation attempts. 4. Use sandboxing or containerization to isolate services that parse protobuf JSON data, limiting the impact of potential crashes. 5. Apply rate limiting and network-level protections to reduce exposure to automated or volumetric attacks exploiting this vulnerability. 6. Review and harden error handling to gracefully manage RecursionError exceptions without service crashes. 7. Maintain an inventory of all applications and services using Python Protobuf to prioritize patching and mitigation efforts. 8. Engage with vendors or open-source communities for timely updates and security advisories related to this vulnerability.