CVE-2025-13151 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-13151?

CVE-2025-13151 has a CVSS score of 7.5 (HIGH). A stack-based buffer overflow vulnerability in libtasn1 v4.20.0 allows attackers to execute arbitrary code or cause denial of service by exploiting improper input validation in the asn1_expend_octet_string function. This affects any application or system that uses libtasn1 for ASN.1 parsing, including cryptographic libraries and network services.

📋 TL;DR

A stack-based buffer overflow vulnerability in libtasn1 v4.20.0 allows attackers to execute arbitrary code or cause denial of service by exploiting improper input validation in the asn1_expend_octet_string function. This affects any application or system that uses libtasn1 for ASN.1 parsing, including cryptographic libraries and network services.

💻 Affected Systems

Products:

libtasn1
GnuTLS
other software using libtasn1 library

Versions: libtasn1 version 4.20.0 specifically

Operating Systems: Linux, Unix-like systems, Windows if compiled with libtasn1

Default Config Vulnerable: ⚠️ Yes

Notes: Any application linking against libtasn1 4.20.0 is vulnerable when processing malicious ASN.1 data.

📦 What is this software?

Libtasn1 by Gnu

View all CVEs affecting Libtasn1 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes or instability, potentially disrupting dependent services.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms (ASLR, stack canaries) that may prevent code execution but not crashes.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions but could affect internet-facing services using libtasn1.

🏢 Internal Only: MEDIUM - Internal systems using vulnerable libtasn1 versions are at risk if attackers gain initial access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious ASN.1 data that triggers the buffer overflow, but no public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libtasn1 version after 4.20.0 (check GitLab merge request #121 for specific fix)

Vendor Advisory: https://gitlab.com/gnutls/libtasn1

Restart Required: Yes

Instructions:

1. Check current libtasn1 version. 2. Update libtasn1 package using system package manager (apt, yum, etc.). 3. Rebuild/reinstall any applications statically linked to libtasn1. 4. Restart affected services.

🔧 Temporary Workarounds

Input validation at application layer

all

Implement strict validation of ASN.1 input data before passing to libtasn1 functions.

Memory protection hardening

linux

Enable ASLR, stack canaries, and other memory protection mechanisms at OS/compiler level.

sysctl -w kernel.randomize_va_space=2
Recompile with -fstack-protector-all flag

🧯 If You Can't Patch

Network segmentation to isolate systems using vulnerable libtasn1 versions
Implement strict firewall rules to limit access to affected services

🔍 How to Verify

Check if Vulnerable:

Check libtasn1 version: 'libtasn1-config --version' or 'dpkg -l | grep libtasn1' or 'rpm -qa | grep libtasn1'

Check Version:

libtasn1-config --version

Verify Fix Applied:

Verify version is updated beyond 4.20.0 and test ASN.1 parsing functionality.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Unexpected termination of services using libtasn1

Network Indicators:

Unusual ASN.1 data patterns in network traffic to services using libtasn1

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "SIGSEGV") AND process="*libtasn1*"

📊 Metadata

CVE ID: CVE-2025-13151

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: January 7, 2026

Last Updated: February 2, 2026

🔗 References

https://gitlab.com/gnutls/libtasn1 Product
https://gitlab.com/gnutls/libtasn1/-/merge_requests/121 Patch
http://www.openwall.com/lists/oss-security/2026/01/08/5 Mailing List,Patch
https://www.kb.cert.org/vuls/id/271649 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13151, you might also want to check these: