OESA-2026-1776

Abstract Syntax Notation One (ASN.1) is a technology for exchanging structured data in a universally understood, hardware agnostic way. Many industrial, security and telephony applications heavily rely on ASN.1. The pyasn1 library implements ASN.1 support in pure-Python.

Security Fix(es):

The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. The vulnerability exists in the indefLenValueDecoder, valueDecoder, and _decodeComponentsSchemaless functions, which recursively invoke the decoding callback decodeFun without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit. Any service using pyasn1 to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.(CVE-2026-30922)