PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-30922 pyasn1 CVE debrief

CVE-2026-30922 is a Denial of Service (DoS) vulnerability in pyasn1, a generic ASN.1 library for Python. The vulnerability is caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. This issue can be exploited by an attacker supplying a crafted payload containing thousands of nested SEQUENCE (0x30) or SET (0x31) tags with 'Indefinite Length' (0x80) markers, which forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. This vulnerability is distinct from CVE-2026-23490, which addressed integer overflows in OID decoding. The fix for CVE-2026-23490 does not mitigate this recursion issue. Users of pyasn1 library, especially those using versions prior to 0.6.3, should be aware of this vulnerability and take steps to mitigate it.

Vendor
pyasn1
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-07-15
Advisory published
2026-03-18
Advisory updated
2026-07-15

Who should care

Users of pyasn1 library, especially those using versions prior to 0.6.3, should be aware of this vulnerability and take steps to mitigate it. This includes updating pyasn1 to version 0.6.3 or later, limiting the depth of ASN.1 data decoding, and implementing memory and recursion limits for the decoder. System administrators and security teams responsible for maintaining systems that utilize pyasn1 should prioritize patching and mitigation efforts.

Technical summary

The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested SEQUENCE (0x30) or SET (0x31) tags with 'Indefinite Length' (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

Defensive priority

High

Recommended defensive actions

  • Update pyasn1 to version 0.6.3 or later
  • Limit the depth of ASN.1 data decoding
  • Implement memory and recursion limits for the decoder
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-03-18T04:17:18.397Z and was last modified on 2026-07-15T02:19:45.137Z. The NVD entry is currently Modified. This vulnerability affects users of the pyasn1 library, particularly those using versions prior to 0.6.3. The vulnerability allows for a Denial of Service (DoS) attack due to uncontrolled recursion when decoding ASN.1 data with deeply nested structures. Evidence of this vulnerability's impact includes the potential for an attacker to supply a crafted payload that could cause the decoder to crash or consume all available memory.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-18T04:17:18.397Z and has not been modified since then.