CVE-2026-45615
Description
mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsing a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, the decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB). This forces a precise 1-byte Heap Out-of-Bounds (OOB) Read. Because asn1c generated code is primarily deployed to parse untrusted network inputs (such as V2X network protocols, 5G telecom headers, or X.509 certificates), when the decoder processes untrusted network-originated input, a remote attacker can exploit this to cause a Denial of Service (DoS) or trigger incorrect integer interpretation in downstream applications (e.g., protocol state poisoning or logic bypass).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap out-of-bounds read in asn1c's OER decoder allows remote attackers to cause denial of service or logic bypass via a crafted zero-length payload.
Vulnerability
In asn1c versions 1.4 and earlier (including the original vlm/asn1c v0.9.28), the INTEGER_decode_oer function in INTEGER_oer.c fails to validate the required bytes when parsing a zero-length OER payload for a variable-length, non-negative INTEGER type. This leads to a 1-byte heap out-of-bounds read when extracting the Most Significant Bit (MSB). The vulnerable code is generated into downstream applications that use asn1c to compile ASN.1 schemas, affecting projects such as V2X network stacks, 5G telecom headers, and X.509 certificate parsers [1].
Exploitation
An attacker can exploit this vulnerability by sending a maliciously crafted OER payload with a zero-length length field for a variable-length non-negative INTEGER to any service that uses an asn1c-generated decoder. No authentication is required; the attacker only needs network access to the target service. The decoder will then perform the out-of-bounds read, potentially causing a crash or returning an incorrect integer value [1].
Impact
Successful exploitation can result in a denial of service (DoS) due to application crash, or incorrect integer interpretation that may lead to protocol state poisoning or logic bypass in downstream processing. The heap OOB read is limited to one byte, but the consequences depend on how the decoded integer is used in the application [1].
Mitigation
As of the advisory publication date, no patched version of asn1c has been released. Users should monitor the repository for updates and apply any future fixes. In the interim, consider using alternative ASN.1 decoders or implementing input validation on OER payloads before decoding [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.4+ 1 more
- (no CPE)range: <=1.4
- (no CPE)range: <=1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of `req_bytes > 0` before dereferencing the pointer to extract the MSB in `INTEGER_decode_oer`, allowing a 1-byte heap out-of-bounds read when the OER length determinant is zero."
Attack vector
A remote attacker sends a maliciously crafted OER payload where the length determinant for a variable-length, non-negative INTEGER field is set to 0x00. The decoder fails to validate that `req_bytes > 0` before dereferencing the pointer to extract the Most Significant Bit (MSB). If the payload is positioned at the end of a memory page, the 1-byte out-of-bounds read crosses into unmapped memory, causing an immediate segmentation fault (DoS). If the read occurs mid-buffer, the decoder silently absorbs 1 bit of adjacent heap memory and returns a corrupted integer value, potentially leading to protocol state poisoning or logic bypass in downstream applications such as V2X or 5G telecom parsers.
Affected code
The vulnerability is in the OER decoding skeleton file `skeletons/INTEGER_oer.c` (line 62) generated by asn1c. The flaw originates from the original vlm codebase and persists in the active fork mouse07410/asn1c up to version 1.4. Because asn1c embeds decoder skeletons directly into generated source code, the vulnerable logic is replicated into downstream applications at code generation time, including projects like Vanetza.
What the fix does
The advisory's suggested fix adds a check `if (req_bytes == 0) { ASN__DECODE_FAILED; }` before the MSB extraction at line 62 of `INTEGER_oer.c`. This ensures that when the OER length determinant is zero, the decoder immediately fails rather than dereferencing a pointer into an empty buffer. The patch closes the missing input validation that allowed the length parameter inconsistency to cause the out-of-bounds read. The advisory notes that comprehensive regression testing across all supported encoding rules is recommended before merging.
Preconditions
- configThe ASN.1 schema must define a variable-length INTEGER type (ct.width == 0), e.g., INTEGER (0..MAX)
- configThe INTEGER type must have a non-negative lower bound (ct.positive == 1)
- inputThe attacker must control the OER-encoded input and set the length determinant to 0x00
- networkThe decoder must be processing untrusted network-originated input (AV:N)
Reproduction
1. Create a minimal ASN.1 schema (`poc.asn1`) defining `PocType ::= INTEGER (0..MAX)`. 2. Generate decoder skeletons: `asn1c -gen-OER poc.asn1` and remove auto-generated examples (`rm converter-example.c pdu_collection.c`). 3. For ASAN proof: compile with `gcc -fsanitize=address -g -I. *.c -o poc_asan_exec` using the `poc_asan.c` harness (which allocates a 1-byte buffer containing 0x00). Run `./poc_asan_exec` — ASAN reports a heap-buffer-overflow at `INTEGER_oer.c:62`. 4. For DoS proof: compile with `gcc -g -I. *.c -o poc_dos_exec` using the `poc_dos.c` harness (which places the 0x00 payload at the last byte of a page adjacent to a PROT_NONE guard page). Run `./poc_dos_exec` — the process crashes with a segmentation fault.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.