CVE-2026-30922

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0	Patch
https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r	Exploit Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/03/20/4

Configurations

Configuration 1 (hide)

cpe:2.3:a:pyasn1:pyasn1:*:*:*:*:*:python:*:*

History

No history.

Information

Published : 2026-03-18 04:17

Updated : 2026-03-21 01:17

NVD link : CVE-2026-30922

Mitre link : CVE-2026-30922

CVE.ORG link : CVE-2026-30922

JSON object : View

Products Affected

pyasn1

pyasn1

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2026-30922", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-18T04:17:18.397", "references": [{"url": "https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/20/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with \"Indefinite Length\" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue."}, {"lang": "es", "value": "pyasn1 es una biblioteca ASN.1 gen\u00e9rica para Python. Antes de la versi\u00f3n 0.6.3, la biblioteca 'pyasn1' es vulnerable a un ataque de denegaci\u00f3n de servicio (DoS) causado por recursi\u00f3n incontrolada al decodificar datos ASN.1 con estructuras profundamente anidadas. Un atacante puede suministrar una carga \u00fatil manipulada que contenga miles de etiquetas 'SEQUENCE' ('0x30') o 'SET' ('0x31') anidadas con marcadores de 'Longitud Indefinida' ('0x80'). Esto fuerza al decodificador a llamarse recursivamente hasta que el int\u00e9rprete de Python falla con un 'RecursionError' o consume toda la memoria disponible (OOM), provocando la ca\u00edda de la aplicaci\u00f3n anfitriona. Esta es una vulnerabilidad distinta de CVE-2026-23490 (que abord\u00f3 desbordamientos de enteros en la decodificaci\u00f3n de OID). La soluci\u00f3n para CVE-2026-23490 ('MAX_OID_ARC_CONTINUATION_OCTETS') no mitiga este problema de recursi\u00f3n. La versi\u00f3n 0.6.3 soluciona este problema espec\u00edfico."}], "lastModified": "2026-03-21T01:17:06.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pyasn1:pyasn1:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "3F5F876E-E9B5-45D9-AE85-5E3E35AD09D7", "versionEndExcluding": "0.6.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}