CVE-2026-59884

Summary

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the BER decoder shared by the CER and DER codecs parses long-form tags by accumulating continuation octets without an upper bound on the tag ID size, allowing a crafted input to force construction of an arbitrarily large integer with CPU cost growing quadratically and to trigger unhandled ValueError exceptions in Python 3.11+ error formatting paths. Any application decoding untrusted BER, CER, or DER input is affected. This issue is fixed in version 0.6.4.

Affected Software

VendorProductVersion RangeStatus
pyasn1pyasn1< 0.6.4affected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

References