Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.
AnalysisAI
Denial of service in rust-rpm-sequoia allows local attackers to crash RPM signature verification by submitting specially crafted RPM files that trigger unhandled errors in OpenPGP parsing, preventing legitimate package management operations. CVSS 4.0 (low severity), local attack vector, non-authenticating. No public exploit code or active exploitation confirmed.
Technical ContextAI
rust-rpm-sequoia is a Rust library implementing RPM package signature verification using OpenPGP cryptographic standards. The vulnerability stems from improper error handling (CWE-347: Improper Verification of Cryptographic Signature) in the OpenPGP signature parsing code path. When processing a maliciously constructed RPM file during signature validation, the parser encounters an error condition that is not gracefully caught, causing unconditional process termination. This affects Red Hat Enterprise Linux 9 and 10, and Red Hat Hardened Images 1, which rely on rust-rpm-sequoia for cryptographic package authentication. The local-only attack vector (AV:L) indicates the attacker must have local file system access or the ability to place a crafted RPM in a location where the target system will attempt verification.
RemediationAI
Apply the security update for rust-rpm-sequoia when released by Red Hat. Systems running Red Hat Enterprise Linux 9 and 10 should check Red Hat's security advisory at https://access.redhat.com/security/cve/CVE-2026-2625 for patched package versions. As an interim mitigation, restrict filesystem access to directories where RPM packages are staged for signature verification to trusted administrators only, and avoid processing RPM files from untrusted or unverified sources. Monitor system logs for unexpected rpm process terminations as a detection indicator.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18815
GHSA-4pr8-8cvj-qg4h