CVE-2026-23490 in pyasn1
Summary
by MITRE • 01/16/2026
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/08/2026
The pyasn1 library serves as a fundamental component for handling Abstract Syntax Notation One encoded data structures in python applications, widely utilized for network protocols, cryptography implementations, and data serialization tasks. This library provides essential functionality for parsing and generating ASN.1 formatted data which is critical for various security protocols including X.509 certificates, LDAP, and SNMP implementations. The vulnerability affects versions prior to 0.6.2, indicating a regression or oversight in the library's handling of specific ASN.1 data types that has persisted across multiple releases. The flaw specifically targets the RELATIVE-OID data type which represents relative object identifiers in ASN.1 syntax, commonly used in certificate chains and directory services where object identifiers are referenced relative to a base OID.
The technical flaw manifests in the library's parsing logic for RELATIVE-OID structures containing excessive continuation octets, which are part of the ASN.1 encoding format where certain octets signal that additional bytes follow in the encoding. When malformed RELATIVE-OID structures are processed, the parser fails to properly validate the continuation octet sequences, leading to a scenario where memory allocation grows exponentially with each malformed continuation octet encountered. This represents a classic denial-of-service vulnerability where an attacker can craft malicious ASN.1 data containing RELATIVE-OID structures with numerous continuation octets, causing the library to consume excessive memory resources during parsing operations. The vulnerability maps to CWE-400, specifically CWE-400: Uncontrolled Resource Consumption, which encompasses various forms of resource exhaustion attacks that can lead to system instability or complete service unavailability. The memory exhaustion occurs because the parser's algorithm does not implement proper bounds checking or maximum iteration limits for processing continuation octets, allowing attackers to exploit the parsing logic through carefully constructed malformed data.
The operational impact of this vulnerability extends beyond simple service disruption as it affects any application relying on pyasn1 for processing ASN.1 data from untrusted sources. Network services, certificate processing systems, and security applications that handle X.509 certificates, LDAP queries, or SNMP data are all at risk of being rendered unavailable through this attack vector. The vulnerability is particularly concerning in environments where applications process data from external sources without proper input validation, as a single malicious packet or file could trigger the memory exhaustion condition and potentially bring down entire services. This type of vulnerability aligns with ATT&CK technique T1499.004, specifically "Utilities: File System Wipe," where denial-of-service conditions are used to disrupt service availability. The impact is significant because pyasn1 is a foundational library used by many higher-level security components, meaning that exploitation could cascade through multiple systems and applications. Organizations using this library in production environments are particularly vulnerable, as the attack requires no privileged access or complex exploitation techniques, merely the ability to send malformed ASN.1 data to a target system.
The fix implemented in version 0.6.2 addresses the vulnerability through enhanced input validation and proper bounds checking for continuation octet processing in RELATIVE-OID structures. This update ensures that the parser enforces reasonable limits on the number of continuation octets allowed in a single RELATIVE-OID encoding, preventing the exponential memory growth. Security practitioners should prioritize updating all systems using affected versions of pyasn1 to prevent exploitation, particularly in environments where untrusted data processing occurs. The mitigation strategy involves not only updating the library but also implementing proper input validation at application layers to further reduce the risk of exploitation. Organizations should also consider implementing network monitoring to detect unusual memory consumption patterns that might indicate exploitation attempts, as well as regular vulnerability scanning to identify systems still running vulnerable versions of the library. The fix represents a defensive programming approach that aligns with secure coding practices recommended by both CWE guidelines and industry security frameworks, emphasizing the importance of input validation and resource consumption limits in security-critical libraries.