An issue was discovered in mouse07410 asn1c thru 0.9.29 (2025-03-20) - a fork of vlm asn1c. In UPER (Unaligned Packed Encoding Rules), asn1c-generated decoders fail to enforce INTEGER constraints when the bound is positive and exceeds 32 bits in length, potentially allowing incorrect or malicious input to be processed.
The asn1c tool generates decoder code based on ASN.1 schemas. In UPER mode (Unaligned Packed Encoding Rules), the generated code does not properly validate constraints for the INTEGER type when the defined upper bound is a positive value exceeding 32 bits. An attacker can provide specially crafted input data that is accepted despite violating the declared schema constraints. The bug is classified as CWE-1284 (Improper Validation of Specified Quantity in Input), which means a lack of proper verification of quantitative data properties.
An attacker can smuggle invalid INTEGER values into the logic of an application using generated decoders, which may lead to data corruption, unexpected program behavior, and consequently potentially to application takeover, information disclosure, or destabilization.
Apply patches available from the vendor according to references. Additionally, it is recommended to review and regenerate all UPER decoders in applications using vulnerable versions of the asn1c tool and implement additional validation on the application side for INTEGER input data with >32-bit constraints.
mouse07410 asn1c in versions up to 0.9.29 inclusive (up to the release from 2025-03-20), being a fork of vlm asn1c — affects applications using UPER decoders generated by this tool
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H