CVE-2026-45615

Name of the Vulnerable Software and Affected Versions mouse07410/asn1c versions 1.4 and earlier

Description A memory safety issue exists in the OER decoding skeleton files generated by the ASN.1 compiler, specifically within INTEGER oer.c. When the decoder processes a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, it fails to validate the required bytes before extracting the Most Significant Bit (MSB). This results in a 1-byte Heap Out-of-Bounds (OOB) Read—a condition where the system reads data past the end of the allocated heap memory buffer. A remote attacker can exploit this when the generated code parses untrusted network inputs, such as 5G telecom headers, V2X network protocols, or X.509 certificates, potentially leading to a Denial of Service (DoS) or incorrect integer interpretation in downstream applications, which may cause logic bypass or protocol state poisoning. The issue occurs within the INTEGER decode oer() function.

Recommendations Update to a version later than 1.4. As a temporary workaround, restrict the processing of untrusted network-originated OER payloads until the update is applied.