CVE-2026-30922

CVE-2026-30922 is a denial-of-service vulnerability in the pyasn1 library, a generic ASN.1 library for Python. Versions prior to 0.6.3 are affected by uncontrolled recursion during the decoding of ASN.1 data containing deeply nested structures. An attacker can craft a payload with thousands of nested SEQUENCE (0x30) or SET (0x31) tags using indefinite length (0x80) markers, triggering excessive recursive calls in the decoder. This leads to a Python RecursionError or out-of-memory condition, crashing the host application. The issue is distinct from CVE-2026-23490, which addressed integer overflows in OID decoding, and the prior fix does not mitigate this recursion problem. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-674 (Uncontrolled Recursion).

Any unauthenticated remote attacker can exploit this vulnerability by supplying malicious ASN.1-encoded input to an application using an affected version of pyasn1 for parsing. Exploitation requires no privileges or user interaction, making it highly accessible over network connections where ASN.1 data is processed, such as in protocols involving certificates, cryptographic exchanges, or network management. Successful exploitation crashes the Python interpreter or consuming application through recursion exhaustion or memory depletion, resulting in high-impact availability disruption without affecting confidentiality or integrity.

The pyasn1 project released version 0.6.3 to fix this issue, as detailed in the GitHub commit 25ad481c19fdb006e20485ef3fc2e5b3eff30ef0 and security advisory GHSA-jr27-m4p2-rc6r. Security announcements on oss-security (March 20, 2026) and Debian LTS (May 2026) recommend upgrading to 0.6.3 or later. Practitioners should audit dependencies for vulnerable pyasn1 versions and apply updates promptly, especially in ASN.1-processing components.