CVE-2026-30922

EUVD-2026-12747

18.03.2026, 04:17

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 6.46%

Affected Products (NVD)

Vendor	Product	Version
pyasn1	pyasn1	𝑥 < 0.6.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

pyasn1

bookworm	vulnerable
bookworm (security)	0.4.8-3+deb12u2 fixed
bullseye	vulnerable
bullseye (security)	0.4.8-1+deb11u2 fixed
forky	0.6.3-1 fixed
sid	0.6.3-1 fixed
trixie	vulnerable
trixie (security)	0.6.1-1+deb13u2 fixed

Ubuntu Releases

Ubuntu Product

Codename

pyasn1

bionic	Fixed 0.4.2-3ubuntu0.18.04.1~esm1 released
focal	Fixed 0.4.2-3ubuntu0.20.04.1~esm1 released
jammy	Fixed 0.4.8-1ubuntu0.2 released
noble	Fixed 0.4.8-4ubuntu0.2 released
questing	Fixed 0.6.1-1ubuntu0.2 released
trusty	Fixed 0.1.7-1ubuntu2.1+esm1 released
xenial	Fixed 0.1.9-1ubuntu0.1~esm1 released

Known Exploits!

https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r

Common Weakness Enumeration

CWE-674 - Uncontrolled Recursion
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

Vulnerability Media Exposure

[GERMAN] Red Hat Ansible Automation Platform: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Ansible Automation Platform ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder Cross-Site-Scripting-Angriffe durchzuführen.
Published: 2026-03-31T22:00:00+00:00

References

https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0

https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r

http://www.openwall.com/lists/oss-security/2026/03/20/4

https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html