CVE-2026-0994

Published: January 27, 2026Last modified: February 10, 2026

Description

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Notes

The 'protobuf' aport doesn't provide a Python library which contains a vulnerability.

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	protobuf	Not affected (3.21.9-r0)
	25 LTS	protobuf	Not affected (29.4-r0)
	Stream	protobuf	Not affected (3.21.12-r0)
	Stream	py3-protobuf	Fixed (6.33.5-r0)

References

https://github.com/protocolbuffers/protobuf/pull/25239

How to Fix Liberica NIK Not Starting on macOS Catalina and Later

If you use macOS Catalina and later you may encounter the issue that prevents Liberica NIK from starting. To fix it, run the following:

sudo xattr -r -d com.apple.quarantine path/to/graalvm/folder/

If you need more help, check out the FAQ at the bottom of this page or contact us.