CVE-2026-0994
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can
CVSS
7.5
High
EPSS
0.6%
p45
KEV
—
Exploit Today
14
0-100
Published: Jan 23, 2026 · Last modified: Jul 15, 2026 · CWE-674
0.6%EPSS · 30 days0.6%
2026-06-302026-07-17
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
- github.comhttps://github.com/protocolbuffers/protobuf/pull/25239
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:16174
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3059
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3094
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3095
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3097
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3218
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3219
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3220
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3461
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3462
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3958
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3959
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8746
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8747
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8748
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-0994
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2432398
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-0994.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-416065.3 MED62.0%
——19Uncontrolled Recursion vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.3dCVE-2026-321417.5 HIG52.7%
——16flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.13hCVE-2026-309227.5 HIG52.6%
——16pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.13hCVE-2026-09905.9 MED51.0%
——15A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.17dCVE-2026-420397.5 HIG49.7%
——15Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.2dCVE-2026-35207.5 HIG49.5%
——15Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.3d