<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pyasn1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/pyasn1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 07:11:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/pyasn1/feed.xml" rel="self" type="application/rss+xml"/><item><title>pyasn1: Quadratic Complexity in OBJECT IDENTIFIER and RELATIVE-OID Processing Allows Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2026-07-pyasn1-dos/</link><pubDate>Fri, 17 Jul 2026 07:11:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pyasn1-dos/</guid><description>A denial of service vulnerability, identified as CVE-2026-59885, exists in the pyasn1 library caused by quadratic complexity in the processing of OBJECT IDENTIFIER and RELATIVE-OID, which can lead to a denial of service.</description><content:encoded><![CDATA[<p>CVE-2026-59885 is a denial-of-service vulnerability affecting the <code>pyasn1</code> library. This vulnerability stems from quadratic complexity in how the library processes <code>OBJECT IDENTIFIER</code> and <code>RELATIVE-OID</code> data structures. An attacker can craft malicious ASN.1 data inputs that, when processed by <code>pyasn1</code>, consume excessive CPU resources due to the inefficient parsing algorithm, leading to a denial of service for applications or services relying on the library for ASN.1 data handling. This can disrupt services that use <code>pyasn1</code> for cryptographic operations, certificate validation, or network protocol parsing. The specific versions affected are not detailed in the MSRC brief, but users of <code>pyasn1</code> should review their implementations and update promptly.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a target system or application that uses the <code>pyasn1</code> library to process ASN.1 encoded data from untrusted sources.</li>
<li>The attacker crafts a malformed or excessively complex <code>OBJECT IDENTIFIER</code> or <code>RELATIVE-OID</code> within an ASN.1 data structure.</li>
<li>The attacker sends this specially crafted ASN.1 data to the vulnerable application.</li>
<li>When the <code>pyasn1</code> library attempts to parse the malicious <code>OBJECT IDENTIFIER</code> or <code>RELATIVE-OID</code> field, its quadratic complexity processing algorithm is triggered.</li>
<li>This leads to the application consuming excessive CPU resources and memory as it attempts to parse the malformed data.</li>
<li>The application becomes unresponsive or crashes due to resource exhaustion.</li>
<li>The result is a denial-of-service condition for the target application or system, rendering it unavailable.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-59885 would result in affected applications or services becoming unavailable due to resource exhaustion, specifically excessive CPU and memory consumption. Organizations relying on the <code>pyasn1</code> library for critical functions, such as authentication mechanisms, secure communication channels, or data parsing from external inputs, could experience significant operational disruption, data processing delays, and potential business losses. While no specific victims or targeting details are provided, any system processing untrusted ASN.1 data with a vulnerable <code>pyasn1</code> version is at risk of service interruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59885 by updating the <code>pyasn1</code> library to a version that addresses this quadratic complexity vulnerability immediately.</li>
<li>Review applications that process <code>OBJECT IDENTIFIER</code> and <code>RELATIVE-OID</code> data using <code>pyasn1</code> to understand potential exposure and ensure input validation.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>library</category></item></channel></rss>