HarborGuard / CVE
Back to search
HIGHCVE-2026-45615Published Modified CNA GitHub_M

CVE-2026-45615: mouse07410/asn1c: 1-byte Heap Out-of-Bounds Read in `INTEGER_decode_oer` via Malformed OER Payload

mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsing a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, the decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB). This forces a precise 1-byte Heap Out-of-Bounds (OOB) Read. Because asn1c generated code is primarily deployed to parse untrusted network inputs (such as V2X network protocols, 5G telecom headers, or X.509 certificates), when the decoder processes untrusted network-originated input, a remote attacker can exploit this to cause a Denial of Service (DoS) or trigger incorrect integer interpretation in downstream applications (e.g., protocol state poisoning or logic bypass).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A 1-byte heap out-of-bounds read in the OER decoding skeleton generated by mouse07410/asn1c (INTEGER_oer.c's INTEGER_decode_oer) affects version 1.4 and earlier. The bug is reachable over the network with no authentication and no user interaction by sending a malformed zero-length OER payload for a variable-length non-negative INTEGER, which causes the decoder to read past the buffer when extracting the most significant bit. Successful exploitation crashes the parser (denial of service) or yields a corrupted integer value that can poison downstream protocol state or bypass application logic. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against asn1c-derived code and binaries in customer registries and CI pipelines, including custom-built images that link generated INTEGER_oer.c skeletons.

Available
Triage

Triage is available with the recorded CVSS 8.2 (High) score weighted by each customer org's compliance policy, so environments that flag network-reachable parsers or telecom and V2X workloads can escalate this above the default severity. Findings route to the inbox configured for the owning team inside each customer org.

Available
Patch

No upstream fix version is published, so a patched-image rebuild is not yet available. HarborGuard re-checks the advisory on each ingest cycle and will make a rebuilt image at the fix version available automatically once mouse07410/asn1c ships a patch, with auto-remediation customers getting a regression run and a PR opened against affected workloads at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    AV:N: the attacker reaches the vulnerable decoder by sending a crafted OER payload over the network, typical for V2X, 5G, or X.509 parsing surfaces.

  • AuthenticationNot required

    PR:N: no credentials are needed; any unauthenticated sender that can deliver an OER message to the parser can trigger the bug.

  • Victim interactionNot required

    UI:N: exploitation happens entirely inside the decoder when the malformed payload is processed, with no user action required.

  • Attack complexityDetail

    AC:L: crafting a zero-length OER INTEGER payload is trivial and the out-of-bounds read fires deterministically on the first parse.

Blast Radius

  • Crashes the asn1c-generated decoder process, taking down protocol handlers for V2X, 5G signaling, or X.509 certificate validation (A:H).
  • Returns an attacker-influenced integer value to the calling application, enabling protocol state poisoning or logic bypass in code that trusts the decoded field (I:L).
  • Adjacent heap byte contents may influence the resulting integer, giving an attacker a narrow oracle into process memory layout even though confidentiality impact is rated none.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the mouse07410/asn1c advisory and matching against every image that ships asn1c-generated OER decoders, including custom builds. While no upstream fix exists, compensating-control guidance is surfaced alongside the finding: isolate parsers behind network policy so only trusted peers can deliver OER payloads, add input-length validation in front of INTEGER_decode_oer where the application controls the call site, and gate exposure of new V2X or telecom listeners behind a feature flag until the upstream patch lands. The moment a fixed version is published, a patched-image rebuild becomes available automatically, and environments with auto-remediation enabled receive a rebuild, regression run, and PR opened against affected workloads without further action.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • mouse07410 / asn1c
    <= 1.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
References