Back to overview

CVE-2026-59884

HIGH
7.5
CVSS 3.1
Description
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the BER decoder shared by the CER and DER codecs parses long-form tags by accumulating continuation octets without an upper bound on the tag ID size, allowing a crafted input to force construction of an arbitrarily large integer with CPU cost growing quadratically and to trigger unhandled ValueError exceptions in Python 3.11+ error formatting paths. Any application decoding untrusted BER, CER, or DER input is affected. This issue is fixed in version 0.6.4.

Metadata

CVE ID
CVE-2026-59884
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 16:40 UTC
Published
2026-07-14 16:41 UTC
Last updated
2026-07-14 16:41 UTC
Primary CWE
CWE-400
CWE-400: Uncontrolled Resource Consumption
Vendor / Product
pyasn1 / pyasn1
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
VendorProductPlatformVersions
pyasn1 pyasn1 < 0.6.4
Weakness (CWE)
CWESourceDescription
CWE-400 cna CWE-400: Uncontrolled Resource Consumption
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References (3)
Back to overview