Description

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

INFO

Published Date :

2026-03-18T02:29:45.857Z

Last Modified :

2026-05-01T16:21:04.773Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30922 vulnerability.

Vendors Products
Pyasn1
  • Pyasn1
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30922.

URL Resource
http://www.openwall.com/lists/oss-security/2026/03/20/4 cve-icon
https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0 cve-icon cve-icon cve-icon
https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-30922 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-30922 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact