CVE-2021-46848
published 2022-10-24CVE-2021-46848: GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
PriorityP347critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
2.06%
79.0th percentile
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | libtasn1-6 | < libtasn1-6 4.19.0-2 (bookworm) | libtasn1-6 4.19.0-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| gnu | libtasn1 | < 4.19.0 | 4.19.0 |
| msrc | cbl2_libtasn1_4.19.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_libtasn1_4.14-3_on_cbl_mariner_1.0 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_msrc9.1CRITICAL
vendor_oracle9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Libtasn1 vulnerabilities
vendor_ubuntu·2026-02-10·CVSS 9.1
CVE-2021-46848 [CRITICAL] Libtasn1 vulnerabilities
Title: Libtasn1 vulnerabilities
Summary: Several security issues were fixed in Libtasn1.
USN-7954-1 fixed vulnerabilities in Libtasn1. This update provides the
corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS. CVE-2021-46848 only affected Ubuntu
14.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Libtasn1 incorrectly handled decoding ASN.1
content. An attacker could possibly use this issue to cause Libtasn1 to
crash, resulting in a denial of service. (CVE-2025-13151)
It was discovered that Libtasn1 incorrectly handled encoding ASN.1
content. An attacker could possibly use this issue to cause Libtasn1 to
crash, resulting in a denial of service. This issue only affected
Ubuntu 22.04 LTS.
Ubuntu
Libtasn1 vulnerabilities
vendor_ubuntu·2026-01-12·CVSS 9.1
CVE-2025-13151 [CRITICAL] Libtasn1 vulnerabilities
Title: Libtasn1 vulnerabilities
Summary: Libtasn1 could be made to crash if it received specially crafted input.
It was discovered that Libtasn1 incorrectly handled decoding ASN.1 content.
An attacker could possibly use this issue to cause Libtasn1 to crash,
resulting in a denial of service. (CVE-2025-13151)
It was discovered that Libtasn1 incorrectly handled encoding ASN.1 content.
An attacker could possibly use this issue to cause Libtasn1 to crash,
resulting in a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2021-46848)
Instructions: In general, a standard system update will make all the necessary changes.
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-04-10·CVSS 9.8
CVE-2015-5739 [CRITICAL] PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2015-5739 This CVE is fixed in PAN-OS 11.0.4, and all later PAN-OS versions. CVE-2016-10228 This CVE is fixed in PAN-OS 11.1.3, and all later PAN-OS versions. CVE-2017-8923 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2017-9120 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2018-25009 This CVE is fixed in PAN-OS 10.2.8, 11.0.4, 11.1.3, and all later PAN-OS versions. CVE-2
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Libtasn1) — CVE-2021-46848
vendor_oracle·2024-01-15·CVSS 9.1
CVE-2021-46848 [CRITICAL] Oracle Oracle Communications Risk Matrix: Install/Upgrade (Libtasn1) — CVE-2021-46848
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Libtasn1) vulnerability
CVE: CVE-2021-46848
CVSS: 9.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Oracle
Oracle Oracle Communications Risk Matrix: Policy (GNU Libtasn1) — CVE-2021-46848
vendor_oracle·2023-04-15·CVSS 9.1
CVE-2021-46848 [CRITICAL] Oracle Oracle Communications Risk Matrix: Policy (GNU Libtasn1) — CVE-2021-46848
Oracle Oracle Communications Risk Matrix: Policy (GNU Libtasn1) vulnerability
CVE: CVE-2021-46848
CVSS: 9.1
Protocol: HTTPS
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Ubuntu
Libtasn1 vulnerability
vendor_ubuntu·2022-10-31
CVE-2021-46848 Libtasn1 vulnerability
Title: Libtasn1 vulnerability
Summary: Libtasn1 could cause a crash when processing certain inputs.
It was discovered that Libtasn1 did not properly perform bounds
checking. An attacker could possibly use this issue to cause a
crash.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libtasn1: Out-of-bound access in ETYPE_OK
vendor_redhat·2022-10-24·CVSS 9.1
CVE-2021-46848 [CRITICAL] CWE-193 libtasn1: Out-of-bound access in ETYPE_OK
libtasn1: Out-of-bound access in ETYPE_OK
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
An out-of-bounds read flaw was found in Libtasn1 due to an ETYPE_OK off-by-one error in the asn1_encode_simple_der() function. This flaw allows a remote attacker to pass specially crafted data or invalid values to the application, triggering an off-by-one error, corrupting the memory, and possibly performing a denial of service (DoS) attack.
Statement: This flaw enables access to one additional memory byte, significantly constraining the potential damage an attacker could inflict. For this reason it is rated as having a Moderate impact to Red Hat Offerings.
Package: libtasn1 (Red Hat Enterprise Linux 6) - Not affected
Package: libtasn1 (
Microsoft
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
vendor_msrc·2022-10-11·CVSS 9.1
CVE-2021-46848 [CRITICAL] CWE-193 GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Remedia
Debian
CVE-2021-46848: libtasn1-6 - GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affe...
vendor_debian·2021·CVSS 9.1
CVE-2021-46848 [CRITICAL] CVE-2021-46848: libtasn1-6 - GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affe...
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
Scope: local
bookworm: resolved (fixed in 4.19.0-2)
bullseye: resolved (fixed in 4.16.0-2+deb11u1)
forky: resolved (fixed in 4.19.0-2)
sid: resolved (fixed in 4.19.0-2)
trixie: resolved (fixed in 4.19.0-2)
OSV
libtasn1-6 vulnerabilities
osv·2026-02-10·CVSS 9.1
CVE-2021-46848 [CRITICAL] libtasn1-6 vulnerabilities
libtasn1-6 vulnerabilities
USN-7954-1 fixed vulnerabilities in Libtasn1. This update provides the
corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS. CVE-2021-46848 only affected Ubuntu
14.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that Libtasn1 incorrectly handled decoding ASN.1
content. An attacker could possibly use this issue to cause Libtasn1 to
crash, resulting in a denial of service. (CVE-2025-13151)
It was discovered that Libtasn1 incorrectly handled encoding ASN.1
content. An attacker could possibly use this issue to cause Libtasn1 to
crash, resulting in a denial of service. This issue only affected
Ubuntu 22.04 LTS. (CVE-2021-46848)
OSV
libtasn1-6 vulnerabilities
osv·2026-01-12·CVSS 9.1
CVE-2025-13151 [CRITICAL] libtasn1-6 vulnerabilities
libtasn1-6 vulnerabilities
It was discovered that Libtasn1 incorrectly handled decoding ASN.1 content.
An attacker could possibly use this issue to cause Libtasn1 to crash,
resulting in a denial of service. (CVE-2025-13151)
It was discovered that Libtasn1 incorrectly handled encoding ASN.1 content.
An attacker could possibly use this issue to cause Libtasn1 to crash,
resulting in a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2021-46848)
OSV
CVE-2021-46848: GNU Libtasn1 before 4
osv·2022-10-24·CVSS 9.1
CVE-2021-46848 [CRITICAL] CVE-2021-46848: GNU Libtasn1 before 4
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
GHSA
GHSA-6468-68pw-9chw: GNU Libtasn1 before 4
ghsa_unreviewed·2022-10-24
CVE-2021-46848 [CRITICAL] CWE-125 GHSA-6468-68pw-9chw: GNU Libtasn1 before 4
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
No detection rules found.
No public exploits indexed.
Qualys
Oracle Patch Update, January 2024 Security Update Review
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications follow
Qualys
Oracle Patch Update, January 2024 Security Update Review | Qualys
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications
https://bugs.gentoo.org/866237https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5https://gitlab.com/gnutls/libtasn1/-/issues/32https://lists.debian.org/debian-lts-announce/2023/01/msg00003.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/https://security.netapp.com/advisory/ntap-20221118-0006/https://bugs.gentoo.org/866237https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5https://gitlab.com/gnutls/libtasn1/-/issues/32https://lists.debian.org/debian-lts-announce/2023/01/msg00003.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV4SHDJF2XLB4CUPTBPQQ6CLGZ5LKXPZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECM2ELTVRYV4BZ5L5GMIRQE27RFHPAQ6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGO7XST4EIJGX4B2ITZCYSWM24534BSU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5LWOGF7QRMNFRUCZY6TDYQJVFI6MOQ2/https://security.netapp.com/advisory/ntap-20221118-0006/
2022-10-24
Published