Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionGitHub Advisory
mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsing a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, the decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB). This forces a precise 1-byte Heap Out-of-Bounds (OOB) Read. Because asn1c generated code is primarily deployed to parse untrusted network inputs (such as V2X network protocols, 5G telecom headers, or X.509 certificates), when the decoder processes untrusted network-originated input, a remote attacker can exploit this to cause a Denial of Service (DoS) or trigger incorrect integer interpretation in downstream applications (e.g., protocol state poisoning or logic bypass).
AnalysisAI
Heap out-of-bounds read in mouse07410/asn1c versions 1.4 and earlier allows remote attackers to crash applications or corrupt integer parsing logic by sending a zero-length OER payload for a variable-length non-negative INTEGER type. The generated INTEGER_oer.c skeleton extracts the Most Significant Bit without validating input length, and because asn1c-generated parsers are commonly deployed in V2X, 5G telecom, and X.509 stacks, the impact extends into safety- and identity-critical pipelines. No public exploit identified at time of analysis, but the trivial trigger condition makes weaponization straightforward.
Technical ContextAI
asn1c is a widely used compiler that translates ASN.1 schemas into C decoders for binary encodings such as BER, DER, OER, and PER. The defect lives in the generated OER (Octet Encoding Rules) skeleton INTEGER_oer.c, which handles variable-length non-negative INTEGER decoding by reading the MSB of the value buffer to determine sign extension behavior. The root cause maps to CWE-20 (Improper Input Validation): the decoder dereferences the first byte of the payload without first checking that at least one byte is present, so a length-zero TLV element causes a 1-byte heap OOB read past the allocated buffer. Per CPE cpe:2.3:a:mouse07410:asn1c:*, all distributed versions of this fork up through 1.4 emit vulnerable skeleton code, meaning every application built against those skeletons inherits the flaw at runtime.
RemediationAI
Upgrade asn1c to a release that includes the fix referenced in GHSA-wxx8-76rw-96j2 (https://github.com/mouse07410/asn1c/security/advisories/GHSA-wxx8-76rw-96j2); upstream fix available per the advisory, but a specific released patched version was not independently confirmed from the supplied data, so consult the advisory for the exact tag. Critically, regenerate and recompile every product that uses the asn1c-emitted skeletons because the vulnerable code is copied into downstream binaries - simply updating the compiler without rebuilding consumers leaves the bug in place. As a compensating control where immediate rebuilds are not possible, add an input-length pre-check in front of the OER INTEGER decoder (reject TLVs whose value field is zero bytes) or front the parser with a schema-aware proxy that drops malformed packets; the trade-off is the added latency and the risk of rejecting unusual but legitimate encodings on the wire.
Integer overflow in the rtxMemHeapAlloc function in asn1rt_a.lib in Objective Systems ASN1C for C/C++ before 7.0.2 allow
The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in libasn1fix.a in asn1c 0.9.28 allows remote attackers to c
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33314