DEBIAN-CVE-2026-30922

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-30922

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30922.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-30922

Upstream

CVE-2026-30922

Published

2026-03-18T04:17:18.397Z

Modified

2026-04-03T15:00:37.180680Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested SEQUENCE (0x30) or SET (0x31) tags with "Indefinite Length" (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

References

https://security-tracker.debian.org/tracker/CVE-2026-30922

Affected packages

Debian:11 / pyasn1

Package

Name: pyasn1
Purl: pkg:deb/debian/pyasn1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.8-1

0.4.8-1+deb11u1

0.4.8-2

0.4.8-2.1

0.4.8-3

0.4.8-4

0.5.1-1

0.6.0-1

0.6.1-1

0.6.2-1~bpo13+1

0.6.2-1

0.6.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30922.json"

Debian:12 / pyasn1

Package

Name: pyasn1
Purl: pkg:deb/debian/pyasn1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.8-3+deb12u2

Affected versions

0.*

0.4.8-3

0.4.8-3+deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30922.json"

Debian:13 / pyasn1

Package

Name: pyasn1
Purl: pkg:deb/debian/pyasn1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.1-1+deb13u2

Affected versions

0.*

0.6.1-1

0.6.1-1+deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30922.json"

Debian:14 / pyasn1

Package

Name: pyasn1
Purl: pkg:deb/debian/pyasn1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.3-1

Affected versions

0.*

0.6.1-1

0.6.2-1~bpo13+1

0.6.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-30922.json"