Untriaged
Permalink
CVE-2026-59886
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
pyasn1: Uncontrolled resource consumption when converting decoded REAL values
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the univ.Real type converted its mantissa, base, and exponent value to a Python float using exact big-integer exponentiation. A BER, CER, or DER encoded REAL value only a few bytes long can carry a very large exponent, causing float conversion through prettyPrint(), str(), comparison, arithmetic, int(), or an explicit float() call to consume excessive CPU and memory and hang applications that decode untrusted ASN.1 data and then print, log, or compare decoded objects. This issue is fixed in version 0.6.4.
References
-
https://github.com/pyasn1/pyasn1/security/advisories/GHSA-hm4w-wwcw-mr6r x_refsource_CONFIRM
-
https://github.com/pyasn1/pyasn1/releases/tag/v0.6.4 x_refsource_MISC
Affected products
pyasn1
- ==< 0.6.4
Matching in nixpkgs
pkgs.python313Packages.pyasn1
Generic ASN.1 library for Python
pkgs.python314Packages.pyasn1
Generic ASN.1 library for Python
pkgs.python313Packages.pysnmp-pyasn1
Python ASN.1 encoder and decoder
pkgs.python314Packages.pysnmp-pyasn1
Python ASN.1 encoder and decoder
pkgs.python313Packages.pyasn1-modules
Collection of ASN.1-based protocols modules
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>