High severity7.5GHSA Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-44167

Description

phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSA PKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355. This vulnerability is fixed in 1.0.29, 2.0.54, and 3.0.52.

Affected products

Phpseclib/PhpseclibGHSA
Range: >= 3.0.0, <= 3.0.51

Patches

d53d2021bcb9

ASN1: reduce length of supported OIDs from 4096 bytes to 128 bytes

https://github.com/phpseclib/phpseclibterrafrostApr 27, 2026via ghsa

commit

1 file changed · +2 −2

phpseclib/File/ASN1.php+2 −2 modified

@@ -1282,8 +1282,8 @@ function _decodeOID($content)
         $pos = 0;
         $len = strlen($content);
         // see https://github.com/openjdk/jdk/blob/2deb318c9f047ec5a4b160d66a4b52f93688ec42/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java#L55
-        if ($len > 4096) {
-            //user_error('Object Identifier size is limited to 4096 bytes');
+        if ($len > 128) {
+            //user_error('Object Identifier size is limited to 128 bytes');
             return false;
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000