CVE-2026-59885 in pyasn1
Summary
by MITRE • 07/14/2026
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the BER, CER, and DER decoders process OBJECT IDENTIFIER and RELATIVE-OID values in quadratic time relative to the number of arcs, so a small crafted payload containing an OID with many arcs consumes excessive CPU per decode() call and can deny service to applications that decode untrusted ASN.1 data. The corresponding encoders have the same quadratic behavior when an application re-encodes previously decoded attacker-supplied values. This issue is fixed in version 0.6.4.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/14/2026
The pyasn1 library represents a critical security vulnerability affecting applications that process ASN.1 encoded data through its BER, CER, and DER decoders. This vulnerability manifests as a quadratic time complexity issue when processing OBJECT IDENTIFIER and RELATIVE-OID values, where the computational overhead grows exponentially with the number of arcs within these identifiers. The flaw stems from inefficient parsing algorithms that fail to properly bound the processing time required for ASN.1 object identifier structures, creating a potential denial of service condition that can severely impact application performance and availability.
The technical implementation of this vulnerability resides in the decoder's handling of OID values where each additional arc in an object identifier requires proportional increases in computational resources during the parsing phase. When an attacker crafts malicious ASN.1 data containing OBJECT IDENTIFIER or RELATIVE-OID structures with numerous arcs, the decoding process experiences exponential slowdowns that can cause applications to become unresponsive or consume excessive CPU cycles. This behavior specifically affects the BER (Basic Encoding Rules), CER (Canonical Encoding Rules), and DER (Distinguished Encoding Rules) decoders within the library, making them susceptible to exploitation across various ASN.1 encoding contexts.
The operational impact of this vulnerability extends beyond simple performance degradation to encompass complete service denial scenarios where applications processing untrusted ASN.1 data become vulnerable to resource exhaustion attacks. Attackers can craft relatively small payload files containing OID structures with hundreds or thousands of arcs that cause decoding operations to consume excessive computational resources, effectively rendering the target application unusable. This vulnerability particularly affects systems that process certificates, network protocols, or any application handling external ASN.1 encoded data without proper input validation, creating widespread potential for denial of service attacks across multiple security domains.
The mitigation strategy involves upgrading to pyasn1 version 0.6.4 or later, which implements proper bounds checking and optimized parsing algorithms to prevent the quadratic time complexity behavior. Security practitioners should also implement additional safeguards such as input validation, resource limits on decoding operations, and monitoring for unusual CPU usage patterns when processing ASN.1 data. This vulnerability aligns with CWE-795, which addresses the improper handling of input data leading to excessive computational consumption, and represents a classic example of an algorithmic complexity attack that can be mitigated through proper software design and timely patch management.
The fix implemented in version 0.6.4 addresses the core issue by introducing efficient parsing algorithms that maintain linear time complexity regardless of the number of arcs in OID structures. This prevents attackers from exploiting the quadratic behavior through crafted payloads while maintaining full backward compatibility with legitimate use cases. Organizations should prioritize this upgrade across all systems utilizing pyasn1 for processing ASN.1 encoded data, particularly those handling network protocols, certificate validation, or any security-sensitive applications that may be exposed to untrusted ASN.1 inputs. The vulnerability demonstrates the importance of algorithmic complexity analysis in security-critical libraries and reinforces the necessity of proper input validation and resource management in cryptographic software implementations.