ГлавнаяУязвимости → CVE-2026-0994
7.5высокая

CVE-2026-0994

→ есть в БДУ: BDU:2026-05124 (на русском)
Описание (на английском; русское — в БДУ выше)

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Затрагиваемое ПО
Google Protobuf
CVSS
Балл7.5 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Источники
https://github.com/protocolbuffers/protobuf/pull/25239https://access.redhat.com/errata/RHSA-2026:16174https://access.redhat.com/errata/RHSA-2026:3059https://access.redhat.com/errata/RHSA-2026:3094https://access.redhat.com/errata/RHSA-2026:3095https://access.redhat.com/errata/RHSA-2026:3097https://access.redhat.com/errata/RHSA-2026:3218https://access.redhat.com/errata/RHSA-2026:3219