CVE-2025-67897
Unknown Unknown - Not Provided

Panic Vulnerability in Sequoia aes_key_unwrap Allows Remote Crash

Vulnerability report for CVE-2025-67897, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-14

Last updated on: 2025-12-14

Assigner: MITRE

Description

In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-14
Last Modified
2025-12-14
Generated
2026-07-06
AI Q&A
2025-12-14
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sequoia sequoia *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-195 The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for application crashes or panics in the sequoia-openpgp library when processing encrypted messages, especially those containing PKESK or SKESK packets. There are no specific commands provided in the resources to detect this vulnerability on a network or system. However, inspecting logs for crashes related to aes_key_unwrap or unusual memory allocation failures during decryption attempts may help identify exploitation attempts. [1, 3]

Executive Summary

This vulnerability occurs in Sequoia versions before 2.1.0 where the function aes_key_unwrap panics if it receives a ciphertext that is too short. A remote attacker can exploit this by sending a specially crafted encrypted message with a PKESK or SKESK packet, causing the application to crash.

Impact Analysis

The vulnerability can be exploited by a remote attacker to crash an application, leading to a denial of service condition. This can disrupt availability of the affected service or application.

Mitigation Strategies

The immediate mitigation step is to upgrade the sequoia-openpgp library to version 2.1.0 or later, where the vulnerability in aes_key_unwrap has been fixed. Avoid processing untrusted encrypted messages containing PKESK or SKESK packets until the update is applied to prevent denial-of-service crashes. [1, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart