CVE-2026-23490

[tiwarishrijan]

Describe the bug

CVE-2026-23490

┌────────────────┬──────────┬──────────────────────────┬────────────┬───────────┬───────────┬──────────┬────────┬────────────┐
│ CVE            │ SEVERITY │ DIRECT                   │ DIRECT     │ AFFECTED  │ AFFECTED  │ FIXED    │ TYPE   │            │
│                │          │ DEPENDENCY               │ DEPENDENCY │ COMPONENT │ COMPONENT │ VERSIONS │        │            │
│                │          │                          │ VERSION    │ NAME      │ VERSION   │          │        │            │
├────────────────┼──────────┼──────────────────────────┼────────────┼───────────┼───────────┼──────────┼────────┼────────────┤
│ CVE-2026-23490 │ High     │ @aws-cdk/asset-awscli-v1 │ 2.2.261    │ pyasn1    │ 0.6.1     │ [0.6.2]  │ Python │            │
└────────────────┴──────────┴──────────────────────────┴────────────┴───────────┴───────────┴──────────┴────────┴────────────┘

Ref:
cdklabs/awscdk-asset-awscli#1361

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

No CVE

Current Behavior

CVE-2026-23490

Reproduction Steps

Install CDK LIB and scan

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.235.0

AWS CDK CLI version

2.1100.1

Node.js Version

v22.21.1

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response

[kumsmrit]

@tiwarishrijan
Thanks for raising this issue.
Based on our investigation, this seems like low risk scenario because, this vulnerability causes memory exhaustion when parsing malformed ASN.1 RELATIVE-OID data. It cannot execute arbitrary code or exfiltrate data. The pyasn1 library is a transitive dependency for aws-cdk pulled in via awscdk-asset-awscli → awscli → rsa → pyasn1.
This asset is used in Lambda functions during CDK deployments; Lambda has execution time limits and each invocation is isolated - memory exhaustion would fail a single invocation, not causing persistent compromise.
Since CDK primarily communicates with AWS services over secure channels, typical deployments aren't exposed to this attack vector.

We won't be doing a patch release for this one, but we can keep it open to fix the issue and completely remove the risk. But it wont be urgent.

[pahud]

This issue should have been resolved in release v2.2.262 of awscdk-asset-awscli: https://github.com/cdklabs/awscdk-asset-awscli/releases/tag/awscli-v1v2.2.262

@tiwarishrijan, please let me know if you're still experiencing any issues or have concerns.