Description
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
Published: 2026-01-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply Patch
AI Analysis

Impact

A malformed RELATIVE-OID containing excessive continuation octets can cause the pyasn1 decoder to allocate large amounts of memory, leading to a denial of service. This is a CWE‑770 issue – Excessive Resource Consumption – affecting releases prior to 0.6.2 and fixed in 0.6.2. A successful exploitation would exhaust system memory, potentially halting a Python process or system component that relies on pyasn1.

Affected Systems

The vulnerability affects the pyasn1 package for Python, specifically any installations using a version earlier than 0.6.2. Debian 11.0 packages that ship the older library are also impacted, as noted in the Debian LTS announcement. Any host or service that imports pyasn1 and processes input ASN.1 data could be exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of <1% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply or otherwise influence the malformed data that triggers memory exhaustion; the exact attack vector depends on the application’s use of pyasn1 and is inferred rather than explicitly provided.

Generated by OpenCVE AI on April 18, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pyasn1 version 0.6.2 or newer
  • Restrict or sanitize ASN.1 input to reject RELATIVE-OID values with excessive continuation octets
  • Implement monitoring to detect abnormal memory usage by pyasn1 and trigger alerts or mitigation actions

Generated by OpenCVE AI on April 18, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4463-1 pyasn1 security update
Debian DSA Debian DSA DSA-6114-1 pyasn1 security update
Github GHSA Github GHSA GHSA-63vm-454h-vhhq pyasn1 has a DoS vulnerability in decoder
Ubuntu USN Ubuntu USN USN-7975-1 pyasn1 vulnerability
Ubuntu USN Ubuntu USN USN-8134-1 pyasn1 vulnerabilities
History

Fri, 13 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
CPEs cpe:2.3:a:pyasn1:pyasn1:*:*:*:*:*:python:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux

Sun, 01 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pyasn1
Pyasn1 pyasn1
Vendors & Products Pyasn1
Pyasn1 pyasn1

Fri, 16 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
Title pyasn1 has a DoS vulnerability in decoder
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Debian Debian Linux
Pyasn1 Pyasn1
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-01T17:06:14.113Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23490

cve-icon Vulnrichment

Updated: 2026-02-01T17:06:14.113Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T19:16:19.117

Modified: 2026-03-13T14:19:34.873

Link: CVE-2026-23490

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-16T19:03:36Z

Links: CVE-2026-23490 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses