CRITICAL🇵🇱 Wersja polska

CVE-2025-55398

CVSS 9.8v3.1pub. 2025-08-22upd. 2026-04-15

An issue was discovered in mouse07410 asn1c thru 0.9.29 (2025-03-20) - a fork of vlm asn1c. In UPER (Unaligned Packed Encoding Rules), asn1c-generated decoders fail to enforce INTEGER constraints when the bound is positive and exceeds 32 bits in length, potentially allowing incorrect or malicious input to be processed.

🤖 AI Analysis
How it works

The asn1c tool generates decoder code based on ASN.1 schemas. In UPER mode (Unaligned Packed Encoding Rules), the generated code does not properly validate constraints for the INTEGER type when the defined upper bound is a positive value exceeding 32 bits. An attacker can provide specially crafted input data that is accepted despite violating the declared schema constraints. The bug is classified as CWE-1284 (Improper Validation of Specified Quantity in Input), which means a lack of proper verification of quantitative data properties.

Impact

An attacker can smuggle invalid INTEGER values into the logic of an application using generated decoders, which may lead to data corruption, unexpected program behavior, and consequently potentially to application takeover, information disclosure, or destabilization.

Mitigation & patch

Apply patches available from the vendor according to references. Additionally, it is recommended to review and regenerate all UPER decoders in applications using vulnerable versions of the asn1c tool and implement additional validation on the application side for INTEGER input data with >32-bit constraints.

Who is affected

mouse07410 asn1c in versions up to 0.9.29 inclusive (up to the release from 2025-03-20), being a fork of vlm asn1c — affects applications using UPER decoders generated by this tool

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References