CVE-2026-30922
Denial of Service vulnerability in pyasn1 (PyPI)

Denial of Service No known exploit

What is CVE-2026-30922 About?

The `pyasn1` library is vulnerable to a Denial of Service (DoS) attack through uncontrolled recursion during ASN.1 decoding. Attackers can provide a crafted payload with deeply nested structures, causing the Python interpreter to crash or run out of memory. This vulnerability is easy to exploit with a small, specifically designed input.

Affected Software

pyasn1 <0.6.3

Technical Details

The vulnerability arises from the pyasn1 decoder's recursive nature when handling profoundly nested ASN.1 structures, specifically SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. Functions like indefLenValueDecoder, valueDecoder, and _decodeComponentsSchemaless recursively call decodeFun without limiting the recursion depth. A crafted payload with many nested components forces the decoder into an infinite recursive loop, leading to a RecursionError or MemoryError and thus causing a denial of service.

What is the Impact of CVE-2026-30922?

Successful exploitation may allow attackers to crash the application, disrupt service availability, and consume excessive system resources, leading to unresponsiveness or complete service failure.

What is the Exploitability of CVE-2026-30922?

Exploitation involves crafting a small ASN.1 payload with deeply nested SEQUENCE or SET types using indefinite length markers. The attack is remote, requires no authentication, and can be executed with minimal privileges by sending the malicious payload to any service using pyasn1 to parse untrusted ASN.1 data. The complexity is low, and the primary risk factors are the widespread use of ASN.1 in protocols (e.g., LDAP, SNMP, Kerberos, X.509) and the library's lack of recursion depth limits.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-30922?

Available Upgrade Options

  • pyasn1
    • <0.6.3 → Upgrade to 0.6.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-30922?

Similar Vulnerabilities: CVE-2023-34358 , CVE-2022-38686 , CVE-2021-3610 , CVE-2020-25692 , CVE-2018-12020

All Rights reserved 2025
Privacy Policy