CISA alerts on libtasn1 stack overflow in v4.20.0 and earlier

GNU libtasn1 versions v4.20.0 and earlier contain a stack-based buffer overflow in their Autonomous System Number (ASN).1 parsing code that can overwrite adjacent memory and produce unexpected behavior when processing ASN.1 input.

The issue is tracked as CVE-2025-13151 and involves the function asn1_expand_octet_string in the file decoding.c. GNU libtasn1 is a low-level C library for manipulating ASN.1 data and encoding rules, including Distributed Energy Resource (DER) as defined by ITU-T Recommendations X.680 and X.690. The vulnerability stems from unbounded use of strcpy and strcat to assemble a local stack buffer named name from the fields definitions->name and p2->name; if both source strings reach their maximum allowed length, concatenation with a separator character (“.”) and a terminating null byte leaves the destination undersized by one byte, and the final null terminator written by strcat overflows the buffer by a single byte.

An attacker can trigger the one-byte overflow by supplying malformed ASN.1 data that violates the library’s expectation that passed ASN.1 structures have been validated by the calling application. The overflow’s one-byte size limits the scope of the condition, and exploitation is constrained and may be further mitigated by compiler protections such as stack canaries, _FORTIFY_SOURCE, and other hardening mechanisms. Because GNU libtasn1 is used in cryptographic libraries and security-sensitive contexts, malformed ASN.1 input that triggers this condition could cause parsing failures or abnormal behavior during cryptographic operations, including signature verification and cryptographic data validation.

A patch addressing the issue has been proposed to the GNU libtasn1 project and is available for review and testing at https://gitlab.com/gnutls/libtasn1/-/merge_requests/121. Developers and integrators are encouraged to evaluate that merge request and to apply mitigations referenced by the project, such as replacing unbounded string operations with bounded alternatives or safer formatting functions, to remove the overflow condition in affected versions. Read https://gitlab.com/gnutls/libtasn1/-/blob/master/NEWS.md for updates.

Contact us about this vulnerability and provide a vendor statement as appropriate. Acknowledgements: Benny Zelster from Microsoft Research coordinated the disclosure; this document was written by Vijay Sarvepalli.

Aviz and Endace detail optimized traffic delivery to Always-On Packet Capture

Cohesity introduces Sophos-powered next-generation malware scanning in Cohesity Data Cloud

Rafay Systems and DataDirect Networks collaborate on AI infrastructure