CVE-2026-30922

Exploit

EPSS 0.03%
Veröffentlicht 18.03.2026 02:29:45
Zuletzt bearbeitet 01.05.2026 17:16:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

pyasn1 Vulnerable to Denial of Service via Unbounded Recursion

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pyasn1 ≫ Pyasn1 SwPlatformpython Version < 0.6.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.072

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r

Vendor Advisory

Exploit

https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0

Patch

http://www.openwall.com/lists/oss-security/2026/03/20/4

https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html

https://nvd.nist.gov/vuln/detail/CVE-2026-30922

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-30922

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-30922

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-30922