{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pyasn1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-59885"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pyasn1"],"_cs_severities":["low"],"_cs_tags":["denial-of-service","vulnerability","library"],"_cs_type":"advisory","_cs_vendors":["pyasn1"],"content_html":"\u003cp\u003eCVE-2026-59885 is a denial-of-service vulnerability affecting the \u003ccode\u003epyasn1\u003c/code\u003e library. This vulnerability stems from quadratic complexity in how the library processes \u003ccode\u003eOBJECT IDENTIFIER\u003c/code\u003e and \u003ccode\u003eRELATIVE-OID\u003c/code\u003e data structures. An attacker can craft malicious ASN.1 data inputs that, when processed by \u003ccode\u003epyasn1\u003c/code\u003e, consume excessive CPU resources due to the inefficient parsing algorithm, leading to a denial of service for applications or services relying on the library for ASN.1 data handling. This can disrupt services that use \u003ccode\u003epyasn1\u003c/code\u003e for cryptographic operations, certificate validation, or network protocol parsing. The specific versions affected are not detailed in the MSRC brief, but users of \u003ccode\u003epyasn1\u003c/code\u003e should review their implementations and update promptly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target system or application that uses the \u003ccode\u003epyasn1\u003c/code\u003e library to process ASN.1 encoded data from untrusted sources.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malformed or excessively complex \u003ccode\u003eOBJECT IDENTIFIER\u003c/code\u003e or \u003ccode\u003eRELATIVE-OID\u003c/code\u003e within an ASN.1 data structure.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this specially crafted ASN.1 data to the vulnerable application.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003epyasn1\u003c/code\u003e library attempts to parse the malicious \u003ccode\u003eOBJECT IDENTIFIER\u003c/code\u003e or \u003ccode\u003eRELATIVE-OID\u003c/code\u003e field, its quadratic complexity processing algorithm is triggered.\u003c/li\u003e\n\u003cli\u003eThis leads to the application consuming excessive CPU resources and memory as it attempts to parse the malformed data.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive or crashes due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe result is a denial-of-service condition for the target application or system, rendering it unavailable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-59885 would result in affected applications or services becoming unavailable due to resource exhaustion, specifically excessive CPU and memory consumption. Organizations relying on the \u003ccode\u003epyasn1\u003c/code\u003e library for critical functions, such as authentication mechanisms, secure communication channels, or data parsing from external inputs, could experience significant operational disruption, data processing delays, and potential business losses. While no specific victims or targeting details are provided, any system processing untrusted ASN.1 data with a vulnerable \u003ccode\u003epyasn1\u003c/code\u003e version is at risk of service interruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59885 by updating the \u003ccode\u003epyasn1\u003c/code\u003e library to a version that addresses this quadratic complexity vulnerability immediately.\u003c/li\u003e\n\u003cli\u003eReview applications that process \u003ccode\u003eOBJECT IDENTIFIER\u003c/code\u003e and \u003ccode\u003eRELATIVE-OID\u003c/code\u003e data using \u003ccode\u003epyasn1\u003c/code\u003e to understand potential exposure and ensure input validation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T07:11:02Z","date_published":"2026-07-17T07:11:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pyasn1-dos/","summary":"A denial of service vulnerability, identified as CVE-2026-59885, exists in the pyasn1 library caused by quadratic complexity in the processing of OBJECT IDENTIFIER and RELATIVE-OID, which can lead to a denial of service.","title":"pyasn1: Quadratic Complexity in OBJECT IDENTIFIER and RELATIVE-OID Processing Allows Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-07-pyasn1-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Pyasn1","version":"https://jsonfeed.org/version/1.1"}