A security researcher discovered a CWE-190 integer overflow vulnerability in the ASN.1 DER parser of a popular open-source Java/Kotlin TLS library. The parser's VLQ decoding function used a 64-bit Long with no overflow protection, allowing an attacker to feed 11 crafted bytes causing 70 bits of left shifts, silently truncating a massive number to a small value. This enables OID spoofing: a rogue certificate with a crafted oversized OID gets truncated to match a trusted standard OID, bypassing certificate validation and enabling MitM attacks. The fix involves a pre-shift boundary check. The writeup also shares practical bug hunting tips: follow TODO comments, build local test harnesses, and always translate math errors into concrete security impact.
Table of contents
1. The Background: Understanding VLQs and ASN.1 DER2. The Vulnerability: The Silent Overflow3. The Exploitation: Crafting the PayloadGet Hacker MD ’s stories in your inbox4. The Security Impact: OID Spoofing5. The RemediationSort: