CVE-2026-30922
pyasn1 is a generic ASN.1 library for Python. Versions prior to 0.6.3 are vulnerable to a Denial of Service (DoS) attack due to uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can send a carefully crafted payload featuring thousands of nested SEQUENCE (0x30) or SET (0x31) tags, accompanied by "Indefinite Length" (0x80) markers. This results in the decoder recursively calling itself until the Python interpreter either crashes with a RecursionError or exhausts all available memory, leading to the host application crashing. This vulnerability is separate from CVE-2026-23490, which addressed integer overflows in OID decoding. The fix implemented for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not resolve this recursion issue. The specific issue is addressed in version 0.6.3.
NVD Record:
References:
- https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
- https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8
- https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3
- https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0
- http://www.openwall.com/lists/oss-security/2026/03/20/4
- https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html
- https://github.com/advisories/GHSA-jr27-m4p2-rc6r