CVE-2026-30922 Overview
CVE-2026-30922 is a Denial of Service (DoS) vulnerability in the pyasn1 library, a generic ASN.1 library for Python. Prior to version 0.6.3, the library is vulnerable to uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can exploit this flaw by supplying a crafted payload containing thousands of nested SEQUENCE (0x30) or SET (0x31) tags with "Indefinite Length" (0x80) markers, causing the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or exhausts all available memory (OOM), crashing the host application.
Critical Impact
This vulnerability enables remote attackers to crash any Python application using the pyasn1 library for ASN.1 decoding by sending specially crafted payloads with deeply nested structures, resulting in complete service unavailability.
Affected Products
- pyasn1 versions prior to 0.6.3
- Applications and services using pyasn1 for ASN.1 decoding
- Python-based TLS/SSL implementations relying on pyasn1
Discovery Timeline
- 2026-03-18 - CVE-2026-30922 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-30922
Vulnerability Analysis
This vulnerability (CWE-674: Uncontrolled Recursion) exists in the BER decoder component of pyasn1. The core issue lies in the decoder's handling of nested ASN.1 structures without enforcing a maximum recursion depth. When processing ASN.1 data, the decoder recursively parses nested elements such as SEQUENCE and SET containers. Without a depth limit, an attacker can craft malicious ASN.1 payloads with extreme nesting levels that exceed Python's default recursion limit (typically 1000), triggering a RecursionError and application crash.
It's important to note that this vulnerability is distinct from CVE-2026-23490, which addressed integer overflows in OID decoding. The fix for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not mitigate this recursion issue, as they target different attack vectors within the same library.
Root Cause
The root cause is the absence of recursion depth tracking in the BER decoder's parsing logic. When the decoder encounters nested SEQUENCE (0x30) or SET (0x31) tags with "Indefinite Length" (0x80) markers, it processes each nested level through recursive function calls without validating the current depth against a safe threshold. This allows an attacker to trigger stack exhaustion or memory exhaustion through carefully crafted payloads.
Attack Vector
The attack can be executed remotely over a network connection (AV:N) without requiring authentication (PR:N) or user interaction (UI:N). An attacker crafts a malicious ASN.1 payload containing thousands of nested SEQUENCE or SET structures, each marked with indefinite length encoding. When a vulnerable application attempts to decode this payload—such as during TLS certificate parsing, LDAP operations, or SNMP message processing—the decoder enters an uncontrolled recursion loop. The attack results in service unavailability (A:H) without compromising data confidentiality or integrity.
The security patch introduces a MAX_NESTING_DEPTH constant to limit recursion:
# Maximum number of continuation octets (high-bit set) allowed per OID arc.
# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
MAX_OID_ARC_CONTINUATION_OCTETS = 20
+MAX_NESTING_DEPTH = 100
# Maximum number of bytes in a BER length field (8 bytes = up to 2^64-1)
MAX_LENGTH_OCTETS = 8
Source: GitHub Commit
Detection Methods for CVE-2026-30922
Indicators of Compromise
- Application crashes with RecursionError or RuntimeError: maximum recursion depth exceeded in stack traces referencing pyasn1 decoder modules
- Sudden memory exhaustion (OOM) events in services processing ASN.1 data
- Abnormally large or malformed ASN.1 payloads in network traffic containing excessive nested SEQUENCE (0x30) or SET (0x31) tags
- Repeated service restarts or failures in applications handling TLS certificates, LDAP, or SNMP
Detection Strategies
- Monitor Python application logs for RecursionError exceptions originating from pyasn1.codec.ber.decoder modules
- Deploy network-level inspection to detect ASN.1 payloads with unusually deep nesting patterns or excessive indefinite length markers
- Use application performance monitoring (APM) tools to alert on sudden memory spikes or stack depth anomalies during ASN.1 processing
- Audit installed pyasn1 versions across environments using dependency scanning tools to identify vulnerable deployments
Monitoring Recommendations
- Configure alerting for service availability degradation in applications known to use pyasn1 for ASN.1 parsing
- Implement rate limiting on endpoints that accept and decode ASN.1-formatted data
- Enable detailed logging for ASN.1 decoding operations to capture payload characteristics before crashes occur
How to Mitigate CVE-2026-30922
Immediate Actions Required
- Upgrade pyasn1 to version 0.6.3 or later immediately across all affected systems
- Audit all Python applications and dependencies to identify pyasn1 usage, including transitive dependencies
- Implement input validation to reject excessively large or deeply nested ASN.1 payloads before they reach the decoder
- Consider temporarily isolating or rate-limiting services that process untrusted ASN.1 data until patching is complete
Patch Information
The vulnerability is fixed in pyasn1 version 0.6.3. The patch introduces a MAX_NESTING_DEPTH constant set to 100, which enforces a hard limit on recursion depth during ASN.1 decoding. This prevents attackers from triggering stack exhaustion through deeply nested structures. For detailed technical information, refer to the GitHub Security Advisory and the patch commit.
Workarounds
- If immediate patching is not feasible, increase Python's recursion limit cautiously using sys.setrecursionlimit(), though this may delay but not prevent crashes
- Deploy a reverse proxy or web application firewall (WAF) to filter requests containing suspiciously large ASN.1 payloads
- Implement application-level pre-parsing validation to check nesting depth before passing data to pyasn1
# Upgrade pyasn1 to patched version
pip install --upgrade pyasn1>=0.6.3
# Verify installed version
pip show pyasn1 | grep Version
# Check for pyasn1 in project dependencies
pip freeze | grep pyasn1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
