CVE-2026-30922: Denial of Service in pyasn1 via Unbounded Recursion
(updated )
The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.
References
- github.com/advisories/GHSA-jr27-m4p2-rc6r
- github.com/pyasn1/pyasn1
- github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0
- github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8
- github.com/pyasn1/pyasn1/releases/tag/v0.6.3
- github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
- nvd.nist.gov/vuln/detail/CVE-2026-30922
Code Behaviors & Features
Detect and mitigate CVE-2026-30922 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →