{ "threat_severity" : "Important", "public_date" : "2026-01-23T14:55:16Z", "bugzilla" : { "description" : "python: protobuf: Protobuf: Denial of Service due to recursion depth bypass", "id" : "2432398", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2432398" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-674", "details" : [ "A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.", "A flaw was found in protobuf. A remote attacker can exploit this denial-of-service (DoS) vulnerability by supplying deeply nested `google.protobuf.Any` messages to the `google.protobuf.json_format.ParseDict()` function. This bypasses the intended recursion depth limit, leading to the exhaustion of Python’s recursion stack and causing a `RecursionError`, which results in a denial of service." ], "statement" : "This vulnerability is rated Important for Red Hat products. The flaw in `protobuf` allows a remote attacker to trigger a denial-of-service by providing specially crafted, deeply nested `google.protobuf.Any` messages to the `google.protobuf.json_format.ParseDict()` function. This bypasses the intended recursion depth limit, leading to resource exhaustion and application crashes.", "affected_release" : [ { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2026-03-06T00:00:00Z", "advisory" : "RHSA-2026:3959", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.12-protobuf-0:5.29.6-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2026-03-06T00:00:00Z", "advisory" : "RHSA-2026:3959", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.12-protobuf-0:5.29.6-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9", "release_date" : "2026-03-06T00:00:00Z", "advisory" : "RHSA-2026:3958", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "python3.12-protobuf-0:5.29.6-1.el9ap" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3094", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "protobuf-0:3.19.6-15.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-24T00:00:00Z", "advisory" : "RHSA-2026:3218", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "protobuf-0:3.19.6-11.el10_0.1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3095", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "protobuf-0:3.14.0-17.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3097", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "protobuf-0:3.14.0-9.el9_0.1" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-24T00:00:00Z", "advisory" : "RHSA-2026:3220", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "protobuf-0:3.14.0-13.el9_2.1" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3059", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "protobuf-0:3.14.0-13.el9_4.1" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-24T00:00:00Z", "advisory" : "RHSA-2026:3219", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "protobuf-0:3.14.0-16.el9_6.1" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-02-27T00:00:00Z", "advisory" : "RHSA-2026:3461", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-cuda-rhel9:sha256:dcb9d1cd005c40b6db6f893e56419e383b9dcc0d38315605cb1457e2af5354f7" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-02-27T00:00:00Z", "advisory" : "RHSA-2026:3462", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-rocm-rhel9:sha256:53007894763e03f609c35c727cb738db3c2130b19fa0e1069c24240e0870fb7a" } ], "package_state" : [ { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "protobuf", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python3x-protobuf", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python-protobuf", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Affected", "package_name" : "protobuf", "cpe" : "cpe:/a:redhat:openstack:16.2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-0994\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0994\nhttps://github.com/protocolbuffers/protobuf/pull/25239" ], "name" : "CVE-2026-0994", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }