CVE-2024-29050 — CryptoAPI (CRYPT32.dll) CryptDecodeObject ASN.1 Integer Truncation → Heap Overflow

Last updated: 2026-07-02
Severity: High — RCE (Windows Cryptographic Services)
Component: CRYPT32.dllCryptDecodeObject ASN.1 decoders
Bug Class: Integer truncation in allocation-size math (v6 << 6) → heap buffer overflow
Patch: April 2024 Patch Tuesday — size math constrained / validated
Related: Integer Overflows, Buffer Overflow, CVE-2024-38148 (Schannel UAF), C++ Exception Reversing

Vulnerability Summary

A heap buffer overflow in Windows CryptoAPI’s ASN.1 decoding path (CryptDecodeObject in CRYPT32.dll), reached when parsing X.509 CRL Distribution Points. A size recomputation shifts a controllable count left by 6 bits (v6 << 6, i.e. ×64); when the count is large enough the 32-bit multiplication truncates, so ASN1DecRealloc allocates a far smaller buffer than the subsequent copy writes into. Because certificate content is attacker-influenced, the overflow is at least partly controllable.


Affected Code Path

CryptDecodeObject(... OID 0x23 / CRL Distribution Points ...)
  → ASN1Dec_CRLDistributionPoints
    → ASN1BERDecExplicitTag → loop over distribution points
        v6 *= 2;                      // grow element count
        ASN1DecRealloc(..., v6 << 6)  // 2*v6*0x40 — 32-bit int truncates when v6 > 0x200000
      → write past the undersized allocation                    // heap overflow

Key function: ASN1Dec_CRLDistributionPoints (OID 0x23) inside CRYPT32.dll.


Root Cause Analysis

While iterating CRL distribution points the decoder dynamically grows its output buffer. The reallocation size is computed as v6 << 6 (multiply by 64). When v6 exceeds 0x200000, the product 2 * v6 * 0x40 overflows a 32-bit int (≈ 0x100000000 → truncates toward 0). ASN1DecRealloc’s size parameter is a signed int, so it receives the truncated (tiny) value and allocates a buffer much smaller than the decoder expects. Subsequent writes of the decoded elements then run off the end of the allocation — a classic integer-truncation → heap overflow. The write content is manipulable through the certificate, giving exploitation potential rather than a mere crash.


Reaching the Vulnerable Decoder

The practical hurdle was finding a Windows component that actually decodes this OID. Enumerating every DLL/EXE that imports CryptDecodeObject surfaced certutil.exe as a local trigger of the vulnerable path. Parallel research (credited to “Eric”) also found a remote trigger path, so the bug is not confined to local tooling.


Patch Analysis

The fix constrains the size arithmetic and adds validation before the reallocation, preventing the multiplication from wrapping.


The same write-up covers a sibling heap overflow, CVE-2024-30020, in Asn1X509GetPKIFreeText: the size calculation treated the length as single bytes where it should have been wide characters. The patch corrects the element-width cast in the size math. Both bugs share the “wrong unit / wrong width in an ASN.1 size computation” theme — a productive variant-hunting pattern across the CRYPT32 ASN.1 decoders.


References