CVE-2015-2806

Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.

Published: 2015-04-10 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2015-2806 is rated High Risk (69.4/100): CVSS Critical severity, with high exploitation likelihood (EPSS 9.35%, 92th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2015-2806

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-05 12.33% 9.35% -2.98%
2 2025-05-04 7.45% 12.33% +4.88%
3 2025-03-30 7.45%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2015-2806

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
10.0 2.0 HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 10.0 10.0 [email protected]

Weakness enumeration for CVE-2015-2806

OS Trackers for CVE-2015-2806

vendor priority summary link
debian not yet assigned CVE-2015-2806 not yet assigned priority: Debian including 1 source packages (libtasn1-6), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2015-2806
gentoo normal CVE-2015-2806: 1 GLSA(s) (201509-04), 1 atom(s) (dev-libs/libtasn1); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2015-2806
redhat low https://access.redhat.com/security/cve/CVE-2015-2806
suse critical CVE-2015-2806 severity critical: SUSE including 312 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 470 product×package rows across 72 product lines (HPE Helion OpenStack 8, SUSE Liberty Linux 7, … (72 product lines)): Fixed 259, Known Affected 157, Known Not Affected 54. https://www.suse.com/security/cve/CVE-2015-2806/
ubuntu medium CVE-2015-2806 medium priority: Ubuntu including 2 source packages (libtasn1-3, libtasn1-6), 10 status rows across 5 suites (lucid, precise, trusty, upstream, utopic): DNE 4, released 4, needs-triage 2. https://ubuntu.com/security/CVE-2015-2806

Affected software / configurations for CVE-2015-2806

Vendor Product Version Raw CPE
canonical ubuntu_linux 10.04 cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 12.04 cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 14.10 cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
debian debian_linux 7.0 cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
fedoraproject fedora 20 cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
fedoraproject fedora 21 cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
fedoraproject fedora 22 cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
gnu libtasn1 <= 4.3 cpe:2.3:a:gnu:libtasn1:*:*:*:*:*:*:*:*

References for CVE-2015-2806

URL Tags
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git%3Ba=commit%3Bh=4d4f992826a4962790ecd0cce6fbba4a415ce149
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154741.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154805.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155117.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155270.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155435.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155483.html Third Party Advisory
http://www.debian.org/security/2015/dsa-3220 Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:193 Broken Link
http://www.openwall.com/lists/oss-security/2015/03/29/4 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/03/31/2 Mailing List Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/73436
http://www.securitytracker.com/id/1032080 Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2559-1 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1860
https://security.gentoo.org/glsa/201509-04
cvelogic Threat Intelligence