CVE-2026-23490 - Vulnerability Details

- pyasn1 has a DoS vulnerability in decoder

Description

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Published: 2026-01-16

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyasn1

affected

Version	Status	Constraints
`< 0.6.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:pyasn1:pyasn1:*:*:*:*:*:python:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Pyasn1	Pyasn1	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4463-1	pyasn1 security update
Debian DSA	DSA-6114-1	pyasn1 security update
Github GHSA	GHSA-63vm-454h-vhhq	pyasn1 has a DoS vulnerability in decoder
Ubuntu USN	USN-7975-1	pyasn1 vulnerability
Ubuntu USN	USN-8134-1	pyasn1 vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970
https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2
https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq
https://lists.debian.org/debian-lts-announce/2026/02/msg00002.html
https://nvd.nist.gov/vuln/detail/CVE-2026-23490
https://www.cve.org/CVERecord?id=CVE-2026-23490

History

Fri, 13 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux
CPEs		cpe:2.3:a:pyasn1:pyasn1::::::python::* cpe:2.3:o:debian:debian_linux:11.0:::::::*
Vendors & Products		Debian Debian debian Linux

Sun, 01 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2026/02/msg00002.html

Tue, 20 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-23490 https://www.cve.org/CVERecord?id=CVE-2026-23490
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 19 Jan 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyasn1 Pyasn1 pyasn1
Vendors & Products		Pyasn1 Pyasn1 pyasn1

Fri, 16 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
Title		pyasn1 has a DoS vulnerability in decoder
Weaknesses		CWE-770
References		https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970 https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2 https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Debian Debian Linux

Pyasn1 Pyasn1

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-16T19:03:36.442Z

Updated: 2026-02-01T17:06:14.113Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23490

Vulnrichment

Updated: 2026-02-01T17:06:14.113Z

NVD

Status : Analyzed

Published: 2026-01-16T19:16:19.117

Modified: 2026-03-13T14:19:34.873

Link: CVE-2026-23490

Redhat

Severity : Important

Publid Date: 2026-01-16T19:03:36Z

Links: CVE-2026-23490 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses

CWE-770

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object