Описание
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
A flaw was found in protobuf. A remote attacker can exploit this denial-of-service (DoS) vulnerability by supplying deeply nested google.protobuf.Any messages to the google.protobuf.json_format.ParseDict() function. This bypasses the intended recursion depth limit, leading to the exhaustion of Python’s recursion stack and causing a RecursionError, which results in a denial of service.
Отчет
This vulnerability is rated Important for Red Hat products. The flaw in protobuf allows a remote attacker to trigger a denial-of-service by providing specially crafted, deeply nested google.protobuf.Any messages to the google.protobuf.json_format.ParseDict() function. This bypasses the intended recursion depth limit, leading to resource exhaustion and application crashes.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | protobuf | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python3x-protobuf | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python-protobuf | Not affected | ||
| Red Hat OpenStack Platform 16.2 | protobuf | Affected | ||
| Red Hat Ansible Automation Platform 2.5 for RHEL 8 | python3.12-protobuf | Fixed | RHSA-2026:3959 | 06.03.2026 |
| Red Hat Ansible Automation Platform 2.5 for RHEL 9 | python3.12-protobuf | Fixed | RHSA-2026:3959 | 06.03.2026 |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | python3.12-protobuf | Fixed | RHSA-2026:3958 | 06.03.2026 |
| Red Hat Enterprise Linux 10 | protobuf | Fixed | RHSA-2026:3094 | 23.02.2026 |
| Red Hat Enterprise Linux 10.0 Extended Update Support | protobuf | Fixed | RHSA-2026:3218 | 24.02.2026 |
| Red Hat Enterprise Linux 9 | protobuf | Fixed | RHSA-2026:3095 | 23.02.2026 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
A denial-of-service (DoS) vulnerability exists in google.protobuf.json ...
7.5 High
CVSS3