CVE-2026-30922
Denial of Service in pyasn1 ASN.1 Decoder via Recursive Parsing
Publication date: 2026-03-18
Last updated on: 2026-05-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyasn1 | pyasn1 | to 0.6.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30922 is a Denial of Service (DoS) vulnerability in the pyasn1 Python library versions prior to 0.6.3. The vulnerability arises because the library's ASN.1 decoder does not limit the depth of nested ASN.1 structures it processes. An attacker can craft ASN.1 data with thousands of nested SEQUENCE or SET tags using Indefinite Length markers, causing the decoder to recursively call itself excessively."}, {'type': 'paragraph', 'content': 'This uncontrolled recursion leads to a Python RecursionError or out-of-memory condition, crashing the host application or service using pyasn1. The root cause is that key decoder functions recursively invoke decoding callbacks without tracking or limiting recursion depth.'}, {'type': 'paragraph', 'content': 'The issue was fixed in pyasn1 version 0.6.3 by introducing a maximum nesting depth limit of 100. The decoder now tracks the current nesting level and raises a controlled PyAsn1Error if the limit is exceeded, preventing crashes and improving robustness.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can cause denial of service by crashing the Python interpreter or exhausting system memory when decoding maliciously crafted ASN.1 data with excessive nesting.'}, {'type': 'list_item', 'content': 'Remote attackers can send small payloads with deeply nested ASN.1 structures to crash services or worker threads using pyasn1.'}, {'type': 'list_item', 'content': 'The crash can manifest as a RecursionError or out-of-memory condition, leading to service unavailability.'}, {'type': 'list_item', 'content': 'Services parsing untrusted ASN.1 data such as LDAP, SNMP, Kerberos, or X.509 certificates are particularly vulnerable.'}, {'type': 'list_item', 'content': "Increasing Python's recursion limit can worsen the impact by causing higher memory consumption and potentially crashing the entire server."}] [2, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or RecursionErrors in applications using the pyasn1 library when decoding ASN.1 data with deeply nested structures.
A proof-of-concept payload consists of ASN.1 data with thousands of nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers, which can be used to test if the system is vulnerable.
While no specific commands are provided, you can attempt to decode crafted ASN.1 payloads with excessive nesting using the vulnerable pyasn1 version to observe if a RecursionError or out-of-memory condition occurs.
Additionally, monitoring application logs for Python RecursionErrors or crashes related to ASN.1 decoding can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the pyasn1 library to version 0.6.3 or later, which includes a fix that enforces a maximum ASN.1 nesting depth of 100 during decoding.
This fix prevents uncontrolled recursion by raising a controlled PyAsn1Error when the nesting depth limit is exceeded, avoiding interpreter crashes and denial-of-service conditions.
Until the upgrade is applied, consider restricting or validating ASN.1 inputs from untrusted sources to prevent deeply nested payloads from being processed.