Home

Description

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the BER, CER, and DER decoders process OBJECT IDENTIFIER and RELATIVE-OID values in quadratic time relative to the number of arcs, so a small crafted payload containing an OID with many arcs consumes excessive CPU per decode() call and can deny service to applications that decode untrusted ASN.1 data. The corresponding encoders have the same quadratic behavior when an application re-encodes previously decoded attacker-supplied values. This issue is fixed in version 0.6.4.

PUBLISHED Reserved 2026-07-07 | Published 2026-07-14 | Updated 2026-07-14 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-400: Uncontrolled Resource Consumption

CWE-407: Inefficient Algorithmic Complexity

Product status

< 0.6.4
affected

References

github.com/...pyasn1/security/advisories/GHSA-8ppf-4f7h-5ppj

github.com/...ommit/45bdb19eb7df4b3780fe9c912c63e99bffc39dd9

github.com/pyasn1/pyasn1/releases/tag/v0.6.4

cve.org (CVE-2026-59885)

nvd.nist.gov (CVE-2026-59885)

Download JSON