Merge PR "[AUTO-CHERRYPICK] [High] patch pytorch for CVE-2026-0994 - branch 3.0-dev" microsoft#15851

CBL-Mariner-Bot · durgajagadeesh · jslobodzian · web-flow · commit dbf01f4f8845 · 2026-02-15T11:08:18.000-08:00
Co-authored-by: durgajagadeesh &lt;v-dpalli@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/pytorch/CVE-2026-0994.patch b/SPECS/pytorch/CVE-2026-0994.patch
@@ -0,0 +1,84 @@
+From b210265f2b4c05e396e4590feb0c38ae6ae0cca4 Mon Sep 17 00:00:00 2001
+From: aviralgarg05 <gargaviral99@gmail.com>
+Date: Fri, 9 Jan 2026 20:59:10 +0530
+Subject: [PATCH] Fix Any recursion depth bypass in Python
+ json_format.ParseDict
+
+This fixes a security vulnerability where nested google.protobuf.Any messages
+could bypass the max_recursion_depth limit, potentially leading to denial of
+service via stack overflow.
+
+The root cause was that _ConvertAnyMessage() was calling itself recursively
+via methodcaller() for nested well-known types, bypassing the recursion depth
+tracking in ConvertMessage().
+
+The fix routes well-known type parsing through ConvertMessage() to ensure
+proper recursion depth accounting for all message types including nested Any.
+
+Fixes #25070
+
+Closes #25239
+
+Upstream Patch Reference:https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9
+---
+ .../python/google/protobuf/json_format.py     | 21 ++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/third_party/protobuf/python/google/protobuf/json_format.py b/third_party/protobuf/python/google/protobuf/json_format.py
+index 4d76d021..63f21cbb 100644
+--- a/third_party/protobuf/python/google/protobuf/json_format.py
++++ b/third_party/protobuf/python/google/protobuf/json_format.py
+@@ -459,9 +459,11 @@ _INT_OR_FLOAT = six.integer_types + (float,)
+ class _Parser(object):
+   """JSON format parser for protocol message."""
+
+-  def __init__(self, ignore_unknown_fields, descriptor_pool):
++  def __init__(self, ignore_unknown_fields, descriptor_pool, max_recursion_depth=100):
+     self.ignore_unknown_fields = ignore_unknown_fields
+     self.descriptor_pool = descriptor_pool
++    self.max_recursion_depth = max_recursion_depth
++    self.recursion_depth = 0
+
+   def ConvertMessage(self, value, message):
+     """Convert a JSON object into a message.
+@@ -473,6 +475,17 @@ class _Parser(object):
+     Raises:
+       ParseError: In case of convert problems.
+     """
++    # Increment recursion depth at message entry. The max_recursion_depth limit
++    # is exclusive: a depth value equal to max_recursion_depth will trigger an
++    # error. For example, with max_recursion_depth=5, nesting up to depth 4 is
++    # allowed, but attempting depth 5 raises ParseError.
++    self.recursion_depth += 1
++    if self.recursion_depth > self.max_recursion_depth:
++      raise ParseError(
++          'Message too deep. Max recursion depth is {0}'.format(
++              self.max_recursion_depth
++          )
++      )
+     message_descriptor = message.DESCRIPTOR
+     full_name = message_descriptor.full_name
+     if _IsWrapperMessage(message_descriptor):
+@@ -481,6 +494,7 @@ class _Parser(object):
+       methodcaller(_WKTJSONMETHODS[full_name][1], value, message)(self)
+     else:
+       self._ConvertFieldValuePair(value, message)
++    self.recursion_depth -= 1
+
+   def _ConvertFieldValuePair(self, js, message):
+     """Convert field value pairs into regular message.
+@@ -612,8 +626,9 @@ class _Parser(object):
+     if _IsWrapperMessage(message_descriptor):
+       self._ConvertWrapperMessage(value['value'], sub_message)
+     elif full_name in _WKTJSONMETHODS:
+-      methodcaller(
+-          _WKTJSONMETHODS[full_name][1], value['value'], sub_message)(self)
++      # For well-known types (including nested Any), use ConvertMessage
++      # to ensure recursion depth is properly tracked
++      self.ConvertMessage(value['value'], sub_message)
+     else:
+       del value['@type']
+       self._ConvertFieldValuePair(value, sub_message)
+-- 
+2.45.4
+
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
@@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.2.2
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -37,6 +37,7 @@ Patch12:        CVE-2025-55560.patch
 Patch13:        CVE-2025-46152.patch
 Patch14:        CVE-2025-3001.patch
 Patch15:        CVE-2026-24747.patch
+Patch16:        CVE-2026-0994.patch
 
 %description
 PyTorch is a Python package that provides two high-level features:
@@ -98,6 +99,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*
 
 %changelog
+* Wed Feb 11 2026 Durga Jagadeesh Palli <v-dpalli@microsoft.com> - 2.2.2-12
+- Patch for CVE-2026-0994
+
 * Wed Jan 28 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.2.2-11
 - Patch for CVE-2026-24747
 
