HIGH 8.2

CVE-2026-45615: asn1c OER Decoder Heap Out-of-Bounds Read Vulnerability

CVE-2026-45615 is a memory safety flaw in asn1c, an open-source ASN.1 compiler used to generate code that parses structured data formats. The vulnerability exists in the OER (Octet Encoding Rules) decoder template files generated by asn1c version 1.4 and earlier. When the generated decoder encounters a specially crafted, zero-length OER payload representing a variable-length non-negative integer, it attempts to read the Most Significant Bit without first validating that the payload contains sufficient bytes. This causes a precise one-byte out-of-bounds heap read. Since asn1c-generated parsers are commonly deployed to process untrusted network data—including automotive V2X protocols, 5G telecommunications headers, and X.509 certificates—a remote attacker can trigger this flaw by sending a malicious network message, potentially causing the application to crash or misinterpret critical security-relevant integers.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Weaknesses (CWE)
CWE-125, CWE-130, CWE-20
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsing a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, the decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB). This forces a precise 1-byte Heap Out-of-Bounds (OOB) Read. Because asn1c generated code is primarily deployed to parse untrusted network inputs (such as V2X network protocols, 5G telecom headers, or X.509 certificates), when the decoder processes untrusted network-originated input, a remote attacker can exploit this to cause a Denial of Service (DoS) or trigger incorrect integer interpretation in downstream applications (e.g., protocol state poisoning or logic bypass).

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the INTEGER_oer.c skeleton file template generated by asn1c when creating OER decoders for variable-length non-negative integers. The flaw occurs because the decoder does not validate the payload length before attempting to extract the MSB during parsing of zero-length OER encodings. This results in a one-byte heap out-of-bounds read (CWE-125). The root cause involves improper input validation (CWE-20) and a length-related memory access error (CWE-130). The vulnerability is triggered during the decoding phase when untrusted network data is parsed by any application that uses code generated by the vulnerable asn1c versions. The out-of-bounds read can leak adjacent heap memory or cause a segmentation fault depending on the heap state and application context.

Business impact

Organizations relying on asn1c-generated decoders face direct operational risk. In automotive and transportation sectors, V2X protocol stacks built with affected asn1c versions may crash or misinterpret safety-critical messages, potentially affecting vehicle coordination and collision avoidance logic. In telecommunications, 5G infrastructure components that parse network headers with generated code could experience availability disruptions. Web services or IoT devices parsing X.509 certificates using vulnerable generated code could be rendered unresponsive. Beyond immediate DoS impact, memory disclosure through the OOB read could compromise security properties that depend on integer confidentiality, and incorrect integer interpretation in downstream logic could enable protocol state poisoning or bypass of security checks. The broad use of asn1c in standards-compliant protocol implementations means remediation timelines directly correlate to exposure duration across multiple sectors.

Affected systems

Any application or service that uses code generated by asn1c version 1.4 or earlier is potentially affected, provided that generated code processes OER-encoded variable-length non-negative integers from untrusted sources. This includes: automotive V2X implementations using IEEE 1609.2 or similar standards; 5G telecom infrastructure parsing protocol headers; X.509 certificate validators; IoT devices running protocol stacks with asn1c-generated parsers; and any custom network protocol implementation leveraging asn1c for code generation. The scope is not limited to specific vendors or products, but rather to any deployed service built with the vulnerable compiler versions. Organizations should inventory internal uses of asn1c and downstream dependencies that may transitively include affected generated code.

Exploitability

Exploitability is high. The vulnerability requires only network access and no user interaction or authentication. An attacker can craft a zero-length OER INTEGER payload and send it as part of a legitimate-looking network message to any service parsing OER data. The attack surface is broad because asn1c is commonly used in protocol implementations that intentionally accept untrusted network input. The technical barrier to triggering the vulnerability is low—constructing a malicious OER packet requires only knowledge of the OER encoding format, which is publicly documented. The one-byte OOB read is deterministic and does not depend on heap spray or complex exploitation techniques, making it reliably triggerable. However, escalating from a crash or memory leak to code execution would require additional vulnerabilities or specific heap layout conditions.

Remediation

Upgrade asn1c to a version later than 1.4 that includes a fix for the OER INTEGER decoder. When upgrading asn1c, regenerate all affected protocol code and recompile applications that depend on that generated code. Verify against the vendor advisory that the patched asn1c version addresses CWE-125 and CWE-130 in the INTEGER_oer.c template. For organizations unable to immediately upgrade, implement network-level input validation to reject malformed OER packets before they reach the decoder, though this is a temporary mitigation and not a substitute for patching. Audit the codebase to identify all locations where asn1c-generated decoders process untrusted data, prioritizing those in safety-critical or high-availability contexts.

Patch guidance

Apply the latest available asn1c release that resolves this vulnerability. Verify the fix by reviewing the project's commit history or release notes to confirm that the INTEGER_oer.c template now validates payload length before accessing the MSB. After updating asn1c, regenerate code for all affected ASN.1 schemas and perform a full rebuild of dependent applications. Test thoroughly in a staging environment, particularly focusing on OER decoding of edge-case inputs such as zero-length and malformed integer encodings. Consider maintaining a mapping of which deployed services use which asn1c versions and when they were built, to facilitate rapid identification of systems requiring rebuilds post-patch.

Detection guidance

Monitor application logs and crash reports for segmentation faults or heap errors occurring in OER parsing paths, particularly in INTEGER_oer.c or generated variants thereof. Analyze network traffic for malformed OER packets with zero-length INTEGER encodings sent to OER decoders. In V2X and 5G environments, correlate application crashes with receipt of unusual protocol messages. Deploy heap sanitizers (AddressSanitizer, MemorySanitizer) in staging and canary deployments to catch OOB reads at runtime. Review source code repositories and build artifacts to identify which versions of asn1c were used to generate protocol parsers in your infrastructure. Consider using dependency scanning tools to flag applications that vendor asn1c version 1.4 or earlier.

Why prioritize this

This vulnerability merits immediate attention due to the combination of high exploitability, broad potential impact across critical infrastructure sectors, and the deterministic nature of the flaw. The CVSS 3.1 score of 8.2 reflects the high integrity and availability impact. The attack requires only network access with no authentication, making it a low-friction target for adversaries. Automotive and telecommunications sectors face particular risk because V2X and 5G implementations are often safety-critical and handle time-sensitive protocol messages. Organizations in these sectors should patch urgently. Even for organizations outside these sectors, the ease of exploit and the likelihood that asn1c-generated code exists in network-facing services justifies prioritization within the top tier of vulnerability remediation efforts.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH severity) reflects: Attack Vector Network (AV:N)—no special network requirements; Attack Complexity Low (AC:L)—the vulnerability is triggered by a straightforward crafted payload; Privileges Required None (PR:N)—no authentication or privileges needed; User Interaction None (UI:N)—purely network-driven; Scope Unchanged (S:U)—impact is confined to the vulnerable application; Confidentiality None (C:N)—the OOB read may leak adjacent heap data but is not primarily a confidentiality vector in the scoring; Integrity Low (I:L)—incorrect integer interpretation can corrupt protocol state; Availability High (A:H)—DoS via crash is reliably achievable. The score appropriately weights the high likelihood of triggering a crash and the potential for protocol logic corruption, though the leaked memory impact is captured in the vulnerability narrative rather than quantified in the base score.

Frequently asked questions

Does this vulnerability affect applications that do not parse OER-encoded data?

No. The vulnerability is specific to OER decoding paths. Applications using asn1c for other encoding rules (such as DER, BER, or XER) are not affected. If your organization uses asn1c only for DER-encoded X.509 certificates or similar non-OER formats, you are not exposed to this particular vulnerability.

Can the one-byte heap out-of-bounds read be exploited for remote code execution?

The OOB read itself is unlikely to lead directly to RCE without additional vulnerabilities or very specific heap layout conditions. However, it can leak adjacent heap memory and cause application crashes (DoS). The real danger lies in protocol state poisoning—if the misread integer influences security-critical decisions downstream, it could enable logic bypass or incorrect protocol behavior. Organizations should treat this as a high-priority DoS and integrity threat, not primarily as an RCE vector.

Our organization uses asn1c but never regenerated code after an upgrade. Are we still vulnerable?

Yes. Vulnerability status depends on the version of asn1c that was used to generate the code you are currently running, not the version you have installed now. If you generated code with asn1c 1.4 or earlier and have not since regenerated it with a patched version, that code remains vulnerable. You must regenerate all affected protocol code with the patched asn1c version and redeploy the application to remediate.

What is the scope of asn1c usage in typical organizations?

asn1c is used wherever standardized protocol definitions are implemented: telecommunications (3GPP, 5G), automotive (ETSI, V2X), security (X.509 certificates), IoT, and many custom enterprise protocols. It is often pulled in transitively as a build-time dependency and the generated code is then embedded in binary artifacts. Organizations should audit their software bill of materials (SBOM) and build systems to identify where asn1c-generated code appears, particularly in network-facing services.

This analysis is based on publicly available vulnerability data current as of the publication date. CVSS scores and remediation guidance are derived from the CVE record and vendor advisories; organizations should verify patch details directly with asn1c project releases and their own vendor advisories. This document does not constitute a guarantee of security and is intended to support risk-informed decision-making. Security teams should conduct their own impact assessment and testing in staging environments before deploying patches to production. The presence of asn1c-generated code in any given system depends on organization-specific build and deployment practices; exposure assessment requires internal audit and discovery efforts. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).