CVE-2024-58261
BaseFortify
Publication date: 2025-07-27
Last updated on: 2025-08-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sequoia-pgp | sequoia-openpgp | From 1.13.0 (inc) to 1.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a denial-of-service (DoS) issue in the Rust crate sequoia-openpgp versions 1.13.0 through 1.20.0. It occurs in the RawCertParser component when it encounters an unsupported primary key type or certificate version (such as OpenPGP v3 keys). Instead of properly handling the unsupported key, the parser fails to advance the input stream and enters an infinite loop, repeatedly outputting error messages. This causes the affected software to hang or become unresponsive until the process is terminated. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause any software using the sequoia-openpgp crate (directly or indirectly, such as through sequoia_cert_store) to hang or become unresponsive when processing crafted or unsupported OpenPGP keys. An attacker can exploit this by supplying specially crafted keys that trigger the infinite loop, resulting in a denial-of-service condition that disrupts normal operation and availability of the affected software. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the Sequoia PGP project's debugging tool utf8-status on files containing OpenPGP v3 keys. To reproduce and detect the issue, you can clone the utf8-status repository, build the tool using Cargo, and run it against test files with v3 keys. The infinite loop and repeated error messages "Reading a cert: Invalid operation: Not a Key packet" indicate the presence of the vulnerability. Example commands include: 1) git clone https://gitlab.com/sequoia-pgp/utf8-status.git 2) cd utf8-status 3) cargo build --release 4) ./target/release/utf8-status <file_with_v3_keys> [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the sequoia-openpgp crate to version 1.21.0 or later, where the vulnerability has been fixed by properly handling unsupported certificate versions with a new error type. Avoid using affected versions from 1.13.0 through 1.20.0. If upgrading is not immediately possible, avoid processing untrusted or crafted OpenPGP v3 keys that could trigger the infinite loop. [1]