CVE-2026-23490: Malformed ASN.1 RELATIVE-OID Triggers Remote Memory Exhaustion Denial-of-Service in pyasn1

Aegiron 9 mins0

Executive Summary

CVE ID: CVE-2026-23490
Affected Component: pyasn1 (Python ASN.1 decoding library)
Vulnerability Type: Uncontrolled resource consumption (memory exhaustion)
Severity: High
CVSS v3.1 Score: 7.5 (High)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Service crash, worker termination, application unavailability
Exploitability: Easy to moderate
Exploit Availability: Proof-of-Concept available

What is pyasn1 and why this matters

pyasn1 is a widely used Python library for encoding and decoding ASN.1 data structures. ASN.1 is a core format used in many critical technologies, including:

  • TLS / SSL certificate parsing
  • X.509 certificate validation
  • LDAP authentication and directory services
  • OCSP responders
  • PKI infrastructure
  • Custom binary network protocols

Because ASN.1 parsing often happens before authentication, any weakness in this stage becomes especially dangerous.

Vulnerability Description

The issue lies in how pyasn1 decodes RELATIVE-OID and Object Identifier (OID) values when processing ASN.1 BER/DER encoded data.

ASN.1 OIDs are made up of sub-identifiers encoded using base-128 variable-length encoding. Each byte uses the most significant bit as a continuation flag.

In vulnerable versions of pyasn1, the decoder does not enforce limits on:

  • The number of continuation bytes
  • The size of intermediate values being constructed
  • The amount of memory allocated while parsing malformed OIDs

An attacker can craft a RELATIVE-OID containing thousands or millions of continuation bytes (for example repeated 0x81 bytes).
When pyasn1 attempts to decode this:

  • It repeatedly shifts and accumulates values
  • Builds extremely large Python integers and strings
  • Consumes excessive memory
  • Eventually causes:
    • MemoryError
    • Process termination
    • Container eviction
    • Worker crash
    • Full service outage

This is a classic memory exhaustion Denial-of-Service, triggered by malformed input.

Why this is dangerous in real environments

This vulnerability is especially dangerous because:

  • It can be triggered remotely
  • No authentication is required
  • No user interaction is required
  • The payload can be embedded in:
    • TLS certificates
    • LDAP attributes
    • OCSP requests
    • Any ASN.1-based protocol
  • One request can crash a service or worker
  • Repeated requests can keep services permanently down

Any application that parses ASN.1 from untrusted sources using pyasn1 is potentially affected.

Affected Versions

  • Vulnerable: pyasn1 0.6.1
  • Fixed: pyasn1 0.6.2

Upgrading to 0.6.2 or newer fully resolves the issue.

Official Fix

The maintainers fixed the issue by adding proper bounds checking and defensive limits during RELATIVE-OID decoding to prevent unbounded memory allocation.

Upgrade immediately using the official release:

👉 https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2

Proof-of-Concept (PoC) – Educational Use Only

A public proof-of-concept exists that demonstrates how a malformed RELATIVE-OID can exhaust memory when passed to the pyasn1 BER decoder.

What the PoC does (high-level)

  • Constructs an ASN.1 ObjectIdentifier
  • Uses a long chain of continuation bytes (0x81)
  • Passes the payload into pyasn1.codec.ber.decoder.decode()
  • The decoder attempts to build an enormous internal structure
  • Memory usage spikes until the process crashes

MITRE Classification

CWE

  • CWE-770 – Allocation of Resources Without Limits or Throttling

MITRE ATT&CK

  • T1499 – Endpoint Denial of Service
  • T1499.004 – Application or System Exploitation

How Exploitation Would Look in the Wild

Typical attack flow

  1. Attacker sends a crafted ASN.1 payload containing a malicious RELATIVE-OID
  2. Target service parses the ASN.1 data using pyasn1
  3. Memory usage spikes rapidly
  4. Application crashes or becomes unresponsive
  5. Service restarts (or stays down)
  6. Attacker repeats the request to sustain the outage

This attack is low-noise at the network level but very loud at the host level (memory spikes, crashes).

Detection Strategy

1. Application-Level Indicators

Look for:

  • MemoryError exceptions
  • Python stack traces mentioning:
    • pyasn1
    • codec.ber.decoder
    • ObjectIdentifier
  • Sudden worker crashes during certificate or ASN.1 parsing
  • Repeated parsing failures from the same client IP

2. Host-Level Indicators

  • Sudden memory spikes in Python processes
  • OOM killer messages
  • Container restarts
  • Kubernetes pod evictions
  • System logs showing killed processes due to memory pressure

3. Network-Level Indicators

  • ASN.1 payloads containing:
    • OID tag (0x06)
    • Followed by unusually long sequences of continuation bytes
  • TLS handshakes that consistently fail during certificate parsing
  • Repeated malformed LDAP or OCSP requests

Example Payload Pattern

  • ASN.1 tag: 0x06 (Object Identifier)
  • Length: large or malformed
  • Value: excessive repetition of continuation bytes (e.g., 0x81 0x81 0x81 ...)

Splunk Detection Queries

1. Detect pyasn1 decoding failures

index=application_logs
("pyasn1" OR "codec.ber.decoder" OR "ObjectIdentifier")
| stats count by host, source, _time
| sort -_time

2. Detect MemoryError related to ASN.1 parsing

index=application_logs
("MemoryError" AND ("pyasn1" OR "ASN.1" OR "ObjectIdentifier"))
| table _time host process message

3. Detect repeated crashes from same client IP

index=application_logs
("pyasn1" OR "ASN.1")
| transaction client_ip maxspan=5m
| where eventcount > 3

4. Detect TLS or certificate parsing anomalies

index=security_logs
("certificate" OR "TLS" OR "X.509")
AND ("parse error" OR "decode failed")
| stats count by src_ip, dest_host
| where count > 5

5. Host memory spike correlation

index=os_metrics
metric_name=memory_used_percent
| timechart avg(metric_value) by host

Correlate spikes with application crashes in the same timeframe.

Recommended Mitigations

  1. Upgrade pyasn1 immediately to v0.6.2
  2. Apply memory limits to parsing workers (containers, cgroups, ulimit)
  3. Isolate ASN.1 parsing into separate processes
  4. Add size limits on incoming ASN.1 blobs
  5. Monitor memory usage aggressively for parsing components
  6. Deploy IDS rules for abnormal ASN.1 OID patterns

Risk Assessment

Risk FactorAssessment
Remote exploitationYes
Authentication neededNo
Data breachNo
Service outageYes
Exploit difficultyLow
Patch availabilityYes

Final Takeaway

CVE-2026-23490 is a high-impact denial-of-service vulnerability that targets a critical parsing layer used across many security-sensitive systems. While it does not allow data theft or code execution, its ability to crash services remotely makes it a serious operational risk.

If your environment processes ASN.1 data using pyasn1 and is exposed to untrusted input, patching should be treated as urgent.

Official upgrade link:
👉 https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.