PatchSiren cyber security CVE debrief
CVE-2026-30922 pyasn1 CVE debrief
CVE-2026-30922 is a Denial of Service (DoS) vulnerability in pyasn1, a generic ASN.1 library for Python. The vulnerability is caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. This issue can be exploited by an attacker supplying a crafted payload containing thousands of nested SEQUENCE (0x30) or SET (0x31) tags with 'Indefinite Length' (0x80) markers, which forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. This vulnerability is distinct from CVE-2026-23490, which addressed integer overflows in OID decoding. The fix for CVE-2026-23490 does not mitigate this recursion issue. Users of pyasn1 library, especially those using versions prior to 0.6.3, should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- pyasn1
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-18
- Original CVE updated
- 2026-07-15
- Advisory published
- 2026-03-18
- Advisory updated
- 2026-07-15
Who should care
Users of pyasn1 library, especially those using versions prior to 0.6.3, should be aware of this vulnerability and take steps to mitigate it. This includes updating pyasn1 to version 0.6.3 or later, limiting the depth of ASN.1 data decoding, and implementing memory and recursion limits for the decoder. System administrators and security teams responsible for maintaining systems that utilize pyasn1 should prioritize patching and mitigation efforts.
Technical summary
The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested SEQUENCE (0x30) or SET (0x31) tags with 'Indefinite Length' (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.
Defensive priority
High
Recommended defensive actions
- Update pyasn1 to version 0.6.3 or later
- Limit the depth of ASN.1 data decoding
- Implement memory and recursion limits for the decoder
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-03-18T04:17:18.397Z and was last modified on 2026-07-15T02:19:45.137Z. The NVD entry is currently Modified. This vulnerability affects users of the pyasn1 library, particularly those using versions prior to 0.6.3. The vulnerability allows for a Denial of Service (DoS) attack due to uncontrolled recursion when decoding ASN.1 data with deeply nested structures. Evidence of this vulnerability's impact includes the potential for an attacker to supply a crafted payload that could cause the decoder to crash or consume all available memory.
Official resources
-
CVE-2026-30922 CVE record
CVE.org
-
CVE-2026-30922 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-18T04:17:18.397Z and has not been modified since then.