Infinite Mass: The Python OID Memory Hole

Amit Schendel

Senior Security Researcher

Jan 17, 2026·6 min read·10 visits

PoC Available

Executive Summary (TL;DR)

The `pyasn1` library, used extensively in Python cryptography and networking stacks, failed to limit the length of Object Identifiers (OIDs) during decoding. By exploiting the Variable-Length Quantity (VLQ) encoding, an attacker can force the decoder to construct an infinitely large integer, consuming all available system RAM and crashing the process (DoS) via a single malformed packet.

A deep dive into how a 40-year-old encoding standard (ASN.1) combined with Python's infinite-precision integers to create a trivial, unauthenticated Denial of Service vector in the `pyasn1` library.

Attack Flow Diagram

Official Patches

pyasn1Release notes for version 0.6.2

Fix Analysis (1)

Technical Appendix

CVSS Score

7.5/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.04%

Top 89% most exploited

Affected Systems

LDAP Servers (Python-based)SNMP Agents/ManagersCustom TLS/SSL Handshake ProcessorsX.509 Certificate ParsersOCSP Responders

Affected Versions Detail

Product	Affected Versions	Fixed Version
pyasn1 pyasn1	< 0.6.2	0.6.2

Attribute	Detail
CWE	CWE-770 (Allocation of Resources Without Limits)
CVSS v3.1	7.5 (High)
Attack Vector	Network (Remote)
Privileges Required	None
User Interaction	None
EPSS Score	0.00038

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service

Impact

T1499.003Application Exhaustion Flood

Impact

CWE-770

Allocation of Resources Without Limits or Throttling

The software allocates resources without limits or throttling, which can cause the consumption of all available resources.

Known Exploits & Detection

GitHubOfficial advisory containing PoC logic

Vulnerability Timeline

Patch Committed

2024-06-15

Version 0.6.2 Released

2024-06-18

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.