Bug 2430472 (CVE-2026-23490)

Summary: CVE-2026-23490 pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aadhikar, alcohan, alinfoot, amctagga, anpicker, anthomas, aoconnor, aprice, bbrownin, bdettelb, bniver, bparees, brasmith, bsmejkal, carogers, caswilli, cmyers, cochase, crizzo, dfreiber, dnakabaa, doconnor, dranck, drow, dschmidt, dtrifiro, dymurray, eborisov, ebourniv, eglynn, ehelms, erezende, flucifre, ggainey, gmeno, gparvin, groman, gtanzill, haoli, hasun, hkataria, ibolton, jachapma, jajackso, jbalunas, jburrell, jbuscemi, jcammara, jdobes, jfula, jjoyce, jkoehler, jlanda, jmatthew, jmitchel, jmontleo, jneedle, joehler, jowilson, jpretori, jsamir, jschluet, juwatts, jwong, kaycoth, kbempah, kegrant, kgaikwad, koliveir, kshier, lball, lcouzens, lgallett, lhh, ljawale, lphiri, luizcosta, mabashia, manissin, mattdavi, mbenjamin, mburns, mgarciac, mhackett, mhayden, mhulan, mreynolds, mrunge, mskarbek, ngough, nmoumoul, nweather, nyancey, oezr, omaciel, ometelka, orabin, osousa, owatkins, pahickey, pakotvan, pbohmill, pbraun, pcreech, pgaikwad, prodsec-dev, progier, ptisnovs, rbobbitt, rbryant, rchan, rhaigner, rhel-process-autobot, rjohnson, sbunciak, sdoran, shvarugh, simaishi, slucidi, smallamp, smcdonal, snegrini, solenoci, sostapov, spichugi, sseago, ssidhaye, stcannon, sthirugn, syedriko, tbordaz, teagle, tfister, thavo, tmalecek, ttakamiy, vashirov, vereddy, veshanka, vimartin, vkumar, watson-tool-maintainers, weaton, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---Flags: spichugi: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in pyasn1, a generic ASN.1 library for Python. A remote attacker could exploit this vulnerability by sending a specially crafted RELATIVE-OID with excessive continuation octets. This input validation vulnerability leads to memory exhaustion, resulting in a Denial of Service (DoS) for the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2460558, 2460559, 2460560, 2438395, 2438396    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-16 20:03:58 UTC 
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
Comment 2 errata-xmlrpc 2026-02-04 12:03:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1904 https://access.redhat.com/errata/RHSA-2026:1904
Comment 3 errata-xmlrpc 2026-02-04 15:04:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1905 https://access.redhat.com/errata/RHSA-2026:1905
Comment 4 errata-xmlrpc 2026-02-04 15:23:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1906 https://access.redhat.com/errata/RHSA-2026:1906
Comment 5 errata-xmlrpc 2026-02-04 18:40:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1903 https://access.redhat.com/errata/RHSA-2026:1903
Comment 7 errata-xmlrpc 2026-02-09 01:59:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2221 https://access.redhat.com/errata/RHSA-2026:2221
Comment 8 errata-xmlrpc 2026-02-09 09:57:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2303 https://access.redhat.com/errata/RHSA-2026:2303
Comment 9 errata-xmlrpc 2026-02-09 10:04:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2300 https://access.redhat.com/errata/RHSA-2026:2300
Comment 10 errata-xmlrpc 2026-02-09 10:11:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2302 https://access.redhat.com/errata/RHSA-2026:2302
Comment 11 errata-xmlrpc 2026-02-09 10:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2299 https://access.redhat.com/errata/RHSA-2026:2299
Comment 12 errata-xmlrpc 2026-02-09 10:18:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2309 https://access.redhat.com/errata/RHSA-2026:2309
Comment 14 errata-xmlrpc 2026-02-10 15:11:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2453 https://access.redhat.com/errata/RHSA-2026:2453
Comment 15 errata-xmlrpc 2026-02-10 17:43:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2460 https://access.redhat.com/errata/RHSA-2026:2460
Comment 16 errata-xmlrpc 2026-02-10 20:24:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2483 https://access.redhat.com/errata/RHSA-2026:2483
Comment 17 errata-xmlrpc 2026-02-10 20:52:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2486 https://access.redhat.com/errata/RHSA-2026:2486
Comment 18 errata-xmlrpc 2026-02-16 10:50:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2712 https://access.redhat.com/errata/RHSA-2026:2712
Comment 19 errata-xmlrpc 2026-02-16 16:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:2758 https://access.redhat.com/errata/RHSA-2026:2758
Comment 20 errata-xmlrpc 2026-02-25 13:12:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:3354 https://access.redhat.com/errata/RHSA-2026:3354
Comment 21 errata-xmlrpc 2026-02-25 14:37:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3359 https://access.redhat.com/errata/RHSA-2026:3359
Comment 22 errata-xmlrpc 2026-03-06 10:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:3958 https://access.redhat.com/errata/RHSA-2026:3958
Comment 23 errata-xmlrpc 2026-03-06 10:55:17 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2026:3959 https://access.redhat.com/errata/RHSA-2026:3959
Comment 24 errata-xmlrpc 2026-03-10 00:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:4145 https://access.redhat.com/errata/RHSA-2026:4145
Comment 25 errata-xmlrpc 2026-03-10 00:17:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:4142 https://access.redhat.com/errata/RHSA-2026:4142
Comment 26 errata-xmlrpc 2026-03-10 00:18:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:4138 https://access.redhat.com/errata/RHSA-2026:4138
Comment 27 errata-xmlrpc 2026-03-10 00:24:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:4144 https://access.redhat.com/errata/RHSA-2026:4144
Comment 28 errata-xmlrpc 2026-03-10 00:29:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:4148 https://access.redhat.com/errata/RHSA-2026:4148
Comment 29 errata-xmlrpc 2026-03-10 00:38:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:4146 https://access.redhat.com/errata/RHSA-2026:4146
Comment 30 errata-xmlrpc 2026-03-10 00:38:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:4140 https://access.redhat.com/errata/RHSA-2026:4140
Comment 31 errata-xmlrpc 2026-03-10 00:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:4139 https://access.redhat.com/errata/RHSA-2026:4139
Comment 32 errata-xmlrpc 2026-03-10 01:51:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:4147 https://access.redhat.com/errata/RHSA-2026:4147
Comment 33 errata-xmlrpc 2026-03-10 02:38:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:4143 https://access.redhat.com/errata/RHSA-2026:4143
Comment 34 errata-xmlrpc 2026-03-10 05:15:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:4141 https://access.redhat.com/errata/RHSA-2026:4141
Comment 37 errata-xmlrpc 2026-05-04 13:58:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 10
  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2026:13508 https://access.redhat.com/errata/RHSA-2026:13508
Comment 38 errata-xmlrpc 2026-05-04 14:15:22 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:13512 https://access.redhat.com/errata/RHSA-2026:13512
Comment 39 errata-xmlrpc 2026-05-20 11:54:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:17446 https://access.redhat.com/errata/RHSA-2026:17446
Comment 40 errata-xmlrpc 2026-05-20 13:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2026:17595 https://access.redhat.com/errata/RHSA-2026:17595