{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/271649#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"## Overview\r\nA stack-based buffer overflow vulnerability exists in GNU libtasn1, a low-level ASN.1 parsing library. The issue is caused by unsafe string concatenation in the `asn1_expand_octet_string` function located in `decoding.c`. Under worst-case conditions, this results in a one-byte stack overflow that may corrupt adjacent memory.  While the overflow is limited to a single byte, such conditions can still lead to unexpected behavior when processing untrusted ASN.1 input data.\r\n\r\n## Description\r\nGNU libtasn1 is a low-level C library for manipulating Abstract Syntax Notation One (ASN.1) data structures and encoding rules, including Distinguished Encoding Rules (DER). It implements functionality defined by ITU-T Recommendations X.680 and X.690 and is widely used as a foundational component in cryptographic software stacks to parse and validate complex ASN.1-encoded data.\r\n\r\nA stack-based buffer overflow has been identified in the function `asn1_expand_octet_string` in the file `decoding.c`. The vulnerability arises from the use of unbounded string manipulation functions (`strcpy` and `strcat`) to construct a local stack buffer (`name`) using the fields `definitions->name` and `p2->name`.  In the worst-case scenario, both source strings may be at their maximum allowed length. When concatenated together with an additional separator character (`\".\"`) and a terminating null byte, the destination buffer is undersized by one byte. As a result, the final null terminator written by `strcat` overflows the allocated stack buffer by a single byte.\r\n\r\nAlthough the overflow is limited in size, it occurs during the parsing of potentially untrusted ASN.1 input. One-byte stack overflows have historically led to subtle memory corruption issues and may cause unexpected behavior, including crashes, during cryptographic operations such as signature verification or certificate parsing.\r\n\r\n## Impact\r\nAn attacker could trigger the buffer overflow using a malformed ASN.1 data to potential corrupt memory or cause unexpected behavior. This requires breaking libtasn1’s assumption that ASN.1 structures passed to it are already validated by the main application using this library. The impact of this vulnerability is limited due to the one-byte nature of the overflow. Exploitation is constrained and may be further mitigated by modern compiler protections such as stack canaries, `_FORTIFY_SOURCE`, and other hardening mechanisms. However, as the GNU libtasn1 is commonly used in cryptographic libraries and security-sensitive contexts, malformed ASN.1 input triggering this condition could result in parsing failures or abnormal behavior during critical cryptographic operations, including signature verification and cryptographic data validation.\r\n\r\n## Solution\r\nA patch addressing this issue has been proposed to the GNU libtasn1 project and is available for review and testing at: [https://gitlab.com/gnutls/libtasn1/-/merge_requests/121](https://gitlab.com/gnutls/libtasn1/-/merge_requests/121). Developers and integrators are encouraged to evaluate the patch and apply appropriate mitigations, such as using bounded string operations or safer formatting functions, to eliminate the overflow condition in affected versions.  Read [https://gitlab.com/gnutls/libtasn1/-/blob/master/NEWS.md](https://gitlab.com/gnutls/libtasn1/-/blob/master/NEWS.md) for updates\r\n\r\n## Acknowledgements\r\nThanks to Benny Zelster from Microsoft Research for coordinating the disclosure of this vulnerability.This document was written by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/271649"},{"url":"https://gitlab.com/gnutls/libtasn1","summary":"https://gitlab.com/gnutls/libtasn1"},{"url":"https://gitlab.com/gnutls/libtasn1/-/merge_requests/121","summary":"https://gitlab.com/gnutls/libtasn1/-/merge_requests/121"},{"url":"https://gitlab.com/gnutls/libtasn1/-/blob/master/NEWS.md","summary":"https://gitlab.com/gnutls/libtasn1/-/blob/master/NEWS.md"},{"url":"https://gitlab.com/gnutls/libtasn1/-/blob/master/doc/security/CVE-2025-13151.md","summary":"https://gitlab.com/gnutls/libtasn1/-/blob/master/doc/security/CVE-2025-13151.md"}],"title":"Stack-based buffer overflow in libtasn1 versions v4.20.0 and earlier","tracking":{"current_release_date":"2026-01-20T16:27:51+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#271649","initial_release_date":"2026-01-20 16:27:51.743083+00:00","revision_history":[{"date":"2026-01-20T16:27:51+00:00","number":"1.20260120162751.1","summary":"Released on 2026-01-20T16:27:51+00:00"}],"status":"final","version":"1.20260120162751.1"}},"vulnerabilities":[{"title":"Stack-based buffer overflow in libtasn1 version: v4.","notes":[{"category":"summary","text":"Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string."}],"cve":"CVE-2025-13151","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#271649"}],"product_status":{"known_affected":["CSAFPID-9b6fbb5e-350d-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"GnuTLS","product":{"name":"GnuTLS Products","product_id":"CSAFPID-9b6fbb5e-350d-11f1-8422-122e2785dc9f"}}]}}