Skip to main content

Pyasn1

4 CVEs product

Monthly

CVE-2026-59884 HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) allows a remote attacker to exhaust CPU and crash applications by supplying crafted BER, CER, or DER encoded data. The shared BER decoder parses long-form tags without bounding the tag ID size, so a malicious tag forces construction of an arbitrarily large integer whose processing scales quadratically, and on Python 3.11+ triggers unhandled ValueError exceptions in integer-to-string error formatting. No public exploit identified at time of analysis, though the fix commit ships proof-of-concept test cases; not listed in CISA KEV.

Python Denial Of Service Pyasn1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59885 HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (all versions prior to 0.6.4) allows remote attackers to exhaust CPU by submitting a small crafted OBJECT IDENTIFIER or RELATIVE-OID whose arcs are decoded in quadratic time, so any application that calls decode() on untrusted ASN.1 data can be stalled per call; re-encoding such values triggers the same blow-up. Rated CVSS 7.5 (availability-only) with no confidentiality or integrity impact; no public exploit identified at time of analysis, though the fix commit ships a regression test that effectively demonstrates the trigger. As a foundational dependency behind LDAP, SNMP, X.509/PKI and crypto tooling across the Python ecosystem, its broad transitive reach makes this notable despite the modest severity.

Python Denial Of Service Pyasn1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59886 HIGH PATCH This Week

Uncontrolled resource consumption in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) lets remote attackers hang applications that decode untrusted BER/CER/DER data. A REAL value only a few bytes long can encode an enormous exponent; when the decoded univ.Real object is later printed, logged, compared, or converted via prettyPrint(), str(), int(), or float(), pyasn1 performs exact big-integer exponentiation that consumes excessive CPU and memory. There is no public exploit identified at time of analysis, but the network/no-auth/no-interaction, availability-only profile makes this a straightforward denial-of-service primitive; the issue is fixed in version 0.6.4.

Python Denial Of Service Pyasn1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-23490 PyPI HIGH PATCH This Week

pyasn1 is a generic ASN.1 library for Python. versions up to 0.6.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Python Denial Of Service Debian Linux Pyasn1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) allows a remote attacker to exhaust CPU and crash applications by supplying crafted BER, CER, or DER encoded data. The shared BER decoder parses long-form tags without bounding the tag ID size, so a malicious tag forces construction of an arbitrarily large integer whose processing scales quadratically, and on Python 3.11+ triggers unhandled ValueError exceptions in integer-to-string error formatting. No public exploit identified at time of analysis, though the fix commit ships proof-of-concept test cases; not listed in CISA KEV.

Python Denial Of Service Pyasn1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (all versions prior to 0.6.4) allows remote attackers to exhaust CPU by submitting a small crafted OBJECT IDENTIFIER or RELATIVE-OID whose arcs are decoded in quadratic time, so any application that calls decode() on untrusted ASN.1 data can be stalled per call; re-encoding such values triggers the same blow-up. Rated CVSS 7.5 (availability-only) with no confidentiality or integrity impact; no public exploit identified at time of analysis, though the fix commit ships a regression test that effectively demonstrates the trigger. As a foundational dependency behind LDAP, SNMP, X.509/PKI and crypto tooling across the Python ecosystem, its broad transitive reach makes this notable despite the modest severity.

Python Denial Of Service Pyasn1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled resource consumption in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) lets remote attackers hang applications that decode untrusted BER/CER/DER data. A REAL value only a few bytes long can encode an enormous exponent; when the decoded univ.Real object is later printed, logged, compared, or converted via prettyPrint(), str(), int(), or float(), pyasn1 performs exact big-integer exponentiation that consumes excessive CPU and memory. There is no public exploit identified at time of analysis, but the network/no-auth/no-interaction, availability-only profile makes this a straightforward denial-of-service primitive; the issue is fixed in version 0.6.4.

Python Denial Of Service Pyasn1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

pyasn1 is a generic ASN.1 library for Python. versions up to 0.6.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Python Denial Of Service Debian Linux +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy