Skip to main content

Python CVE-2026-30922

HIGH
Uncontrolled Recursion (CWE-674)
2026-03-17 https://github.com/pyasn1/pyasn1 GHSA-jr27-m4p2-rc6r
7.5
CVSS 3.1 · Vendor: https://github.com/pyasn1/pyasn1
Share

Severity by source

Vendor (https://github.com/pyasn1/pyasn1) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/pyasn1/pyasn1).

CVSS VectorVendor: https://github.com/pyasn1/pyasn1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 16:17 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 59 pypi packages depend on pyasn1 (24 direct, 35 indirect)

Ecosystem-wide dependent count for version 0.6.3.

DescriptionCVE.org

Summary

The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.

This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not mitigate this recursion issue.

Details

The vulnerability exists because the decoder iterates through the input stream and recursively calls decodeFun (the decoding callback) for every nested component found, without tracking or limiting the recursion depth. Vulnerable Code Locations:

  1. indefLenValueDecoder (Line 998):
for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):```
This method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag.

2. `valueDecoder` (Lines 786 and 907):

This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of SEQUENCE or SET types. Line 907: Recursively decodes elements of SEQUENCE OF or SET OF types.

  1. _decodeComponentsSchemaless (Line 661):
for component in decodeFun(substrate, **options):```
This method handles decoding when no schema is provided.

In all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit.
### PoC

import sys from pyasn1.codec.ber import decoder

sys.setrecursionlimit(100000)

print("[*] Generating Recursion Bomb Payload...") depth = 50_000 chunk = b'\x30\x80' payload = chunk * depth

print(f"[*] Payload size: {len(payload) / 1024:.2f} KB") print("[*] Triggering Decoder...")

try: decoder.decode(payload) except RecursionError: print("[!] Crashed: Recursion Limit Hit") except MemoryError: print("[!] Crashed: Out of Memory") except Exception as e: print(f"[!] Crashed: {e}")

[*] Payload size: 9.77 KB [*] Triggering Decoder... [!] Crashed: Recursion Limit Hit

### Impact
- This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.
- Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.
- Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.
### Credits
Vulnerability discovered by Kevin Tu of TMIR at ByteDance.

AnalysisAI

The pyasn1 library suffers from an uncontrolled recursion vulnerability when parsing deeply nested ASN.1 structures, allowing remote attackers to trigger a denial of service through stack exhaustion or memory consumption. Any service using pyasn1 to parse untrusted ASN.1 data (including LDAP, SNMP, Kerberos, and X.509 parsers) can be crashed remotely with a small crafted payload under 100KB. A working proof-of-concept is publicly available, and while not currently in CISA KEV, the vulnerability has a CVSS score of 7.5 indicating high severity.

Technical ContextAI

The pyasn1 library is a pure-Python implementation of ASN.1 (Abstract Syntax Notation One) types and codecs, commonly used for parsing cryptographic protocols and certificates. The vulnerability (CWE-674: Uncontrolled Recursion) occurs in the BER decoder's handling of nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers, where recursive calls to decodeFun lack depth checking in multiple code paths including indefLenValueDecoder, valueDecoder, and _decodeComponentsSchemaless methods. The affected product is identified as pkg:pip/pyasn1, and this is a distinct issue from the previously patched CVE-2026-23490 which addressed integer overflows in OID decoding.

RemediationAI

Upgrade pyasn1 to version 0.6.3 or later which includes the fix commit 5a49bd1fe93b5b866a1210f6bf0a3924f21572c8 as referenced in the vendor advisory at https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r. Until patching is possible, implement input size limits and request timeouts for ASN.1 parsing operations, though these workarounds provide only partial mitigation as small payloads can still trigger the vulnerability. Organizations should prioritize patching internet-facing services that parse untrusted ASN.1 data, particularly LDAP, SNMP, and certificate validation services.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.4 Container suse/manager/4.3/proxy-tftpd:4.3.17.9.66.4 Container suse/sle-micro-rancher/5.2:latest Image SLES15-SP5-Micro-5-5 Image SLES15-SP5-Micro-5-5-Azure Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Image SLES15-SP6-SAP-Azure-LI-BYOS Image SLES15-SP6-SAP-Azure-LI-BYOS-Production Image SLES15-SP6-SAP-Azure-VLI-BYOS Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production Affected
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.67 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.89 Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.31 Affected
Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand Affected
Image SLES15-SP7-SAP-EC2 Affected

Share

CVE-2026-30922 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy