CVE-2026-0994 #3

Merged

sbelikov merged 2 commits from update-protobuf-31.1 into niceos-5.2 2026-05-25 23:38:12 +03:00

Conversation 0 Commits 2 Files changed 5 +32 -21

sbelikov commented 2026-05-25 23:03:23 +03:00

Owner

Copy link

Descriptions

CVE-2026-0994

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Descriptions CVE-2026-0994 A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

sbelikov added 1 commit 2026-05-25 23:03:23 +03:00

Regenerate protobuf metadata for 31.1 479ea66881

sbelikov added 1 commit 2026-05-25 23:36:12 +03:00

Build protobuf 31.1-2.niceosc5 f254da3f20

sbelikov changed title from protobuf: block major update to 34.1 pending maintainer review to CVE-2026-0994 2026-05-25 23:38:02 +03:00

sbelikov merged commit e75cb94e2a into niceos-5.2 2026-05-25 23:38:12 +03:00

sbelikov referenced this pull request from a commit 2026-05-25 23:38:13 +03:00

Merge pull request 'CVE-2026-0994' (#3) from update-protobuf-31.1 into niceos-5.2

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

ai-summary

Issue contains local NiceSOFT AI generated preliminary analysis

  

auto-analysis

Created by niceos_cve_create_issues.py

  

bot

Created by automation

  

cve

Created by niceos_cve_create_issues.py

  

match-cpe-range

Created by niceos_cve_create_issues.py

  

needs-policy-decision

Needs explicit maintainer or architecture policy decision

  

needs-triage

Created by niceos_cve_create_issues.py

  

policy/blocked

Upstream update is blocked by NiceOS policy

  

policy/major-blocked

Major update is blocked by NiceOS policy

  

priority/high

High priority

  

security

Created by niceos_cve_create_issues.py

  

severity-high

Created by niceos_cve_create_issues.py

  

source-niceos-scan

Created by niceos_cve_create_issues.py

  

source-nvd

Created by niceos_cve_create_issues.py

  

update/major

Major update

  

upstream-update

New upstream version is available

  

upstream/github

GitHub upstream

No labels

ai-summary

auto-analysis

bot

cve

match-cpe-range

needs-policy-decision

needs-triage

policy/blocked

policy/major-blocked

priority/high

security

severity-high

source-niceos-scan

source-nvd

update/major

upstream-update

upstream/github

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

rpms/protobuf!3

No description provided.