VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-cg4f-vq8p-dub3

Essentials
Severities (30)
References (28)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-cg4f-vq8p-dub3
Aliases	CVE-2026-0994 GHSA-7gcm-g887-7qv7
Summary	protobuf affected by a JSON recursion depth bypass A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-674	Uncontrolled Recursion
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0994.json
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00026	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00026	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00026	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00026	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
epss	0.00026	https://api.first.org/data/v1/epss?cve=CVE-2026-0994
cvssv3.1	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-7gcm-g887-7qv7
cvssv4	8.2	https://github.com/protocolbuffers/protobuf
generic_textual	HIGH	https://github.com/protocolbuffers/protobuf
cvssv4	8.2	https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf
generic_textual	HIGH	https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf
cvssv4	8.2	https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b
generic_textual	HIGH	https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b
cvssv4	8.2	https://github.com/protocolbuffers/protobuf/issues/25070
generic_textual	HIGH	https://github.com/protocolbuffers/protobuf/issues/25070
cvssv4	8.2	https://github.com/protocolbuffers/protobuf/pull/25239
generic_textual	HIGH	https://github.com/protocolbuffers/protobuf/pull/25239
ssvc	Track	https://github.com/protocolbuffers/protobuf/pull/25239
cvssv4	8.2	https://nvd.nist.gov/vuln/detail/CVE-2026-0994
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-0994

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0994.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-0994
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0994
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/protocolbuffers/protobuf
		https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf
		https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b
		https://github.com/protocolbuffers/protobuf/issues/25070
		https://github.com/protocolbuffers/protobuf/pull/25239
		https://nvd.nist.gov/vuln/detail/CVE-2026-0994
1126302		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126302
2432398		https://bugzilla.redhat.com/show_bug.cgi?id=2432398
GHSA-7gcm-g887-7qv7		https://github.com/advisories/GHSA-7gcm-g887-7qv7
RHSA-2026:3059		https://access.redhat.com/errata/RHSA-2026:3059
RHSA-2026:3094		https://access.redhat.com/errata/RHSA-2026:3094
RHSA-2026:3095		https://access.redhat.com/errata/RHSA-2026:3095
RHSA-2026:3097		https://access.redhat.com/errata/RHSA-2026:3097
RHSA-2026:3218		https://access.redhat.com/errata/RHSA-2026:3218
RHSA-2026:3219		https://access.redhat.com/errata/RHSA-2026:3219
RHSA-2026:3220		https://access.redhat.com/errata/RHSA-2026:3220
RHSA-2026:3461		https://access.redhat.com/errata/RHSA-2026:3461
RHSA-2026:3462		https://access.redhat.com/errata/RHSA-2026:3462
RHSA-2026:3958		https://access.redhat.com/errata/RHSA-2026:3958
RHSA-2026:3959		https://access.redhat.com/errata/RHSA-2026:3959
RHSA-2026:8746		https://access.redhat.com/errata/RHSA-2026:8746
RHSA-2026:8747		https://access.redhat.com/errata/RHSA-2026:8747
RHSA-2026:8748		https://access.redhat.com/errata/RHSA-2026:8748
USN-8063-1		https://usn.ubuntu.com/8063-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0994.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L Found at https://github.com/protocolbuffers/protobuf

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L Found at https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L Found at https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L Found at https://github.com/protocolbuffers/protobuf/issues/25070

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L Found at https://github.com/protocolbuffers/protobuf/pull/25239

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-23T15:33:48Z/ Found at https://github.com/protocolbuffers/protobuf/pull/25239

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-0994

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02113
EPSS Score	0.00013
Published At	April 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:23.304366+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7gcm-g887-7qv7/GHSA-7gcm-g887-7qv7.json	38.0.0