EXECUTIVE SUMMARY:
The vulnerability tracked as CVE-2026-30922 affects the pyasn1 library and is classified as a high-severity Denial of Service (DoS) issue with a CVSS score of 7.5. It impacts versions up to and including 0.6.2, where improper handling of ASN.1 decoding allows uncontrolled recursion during processing of deeply nested structures. The flaw arises because the decoder repeatedly invokes recursive parsing functions without enforcing any depth limit, enabling attackers to supply specially crafted payloads containing nested SEQUENCE or SET elements with indefinite length encoding. This results in excessive recursion that can trigger a RecursionError or exhaust system memory, ultimately crashing the application. The vulnerability can be exploited remotely without authentication, making it particularly dangerous for services that process untrusted ASN.1 inputs such as LDAP, SNMP, Kerberos, or X.509 parsing systems. Successful exploitation leads to service disruption by terminating worker processes or exhausting resources, effectively causing denial of service conditions. Additionally, even small payloads can have a disproportionately large impact due to linear memory consumption with nesting depth.
RECOMMENDATION:
We strongly recommend you update pyasn1 to version 0.6.3.
REFERENCES:
The following reports contain further technical details: