CVE-2025-67897
Unknown Unknown - Not Provided
Panic Vulnerability in Sequoia aes_key_unwrap Allows Remote Crash

Publication date: 2025-12-14

Last updated on: 2025-12-14

Assigner: MITRE

Description
In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-14
Last Modified
2025-12-14
Generated
2026-06-16
AI Q&A
2025-12-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67897
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sequoia sequoia *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-195 The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for application crashes or panics in the sequoia-openpgp library when processing encrypted messages, especially those containing PKESK or SKESK packets. There are no specific commands provided in the resources to detect this vulnerability on a network or system. However, inspecting logs for crashes related to aes_key_unwrap or unusual memory allocation failures during decryption attempts may help identify exploitation attempts. [1, 3]

Executive Summary

This vulnerability occurs in Sequoia versions before 2.1.0 where the function aes_key_unwrap panics if it receives a ciphertext that is too short. A remote attacker can exploit this by sending a specially crafted encrypted message with a PKESK or SKESK packet, causing the application to crash.

Impact Analysis

The vulnerability can be exploited by a remote attacker to crash an application, leading to a denial of service condition. This can disrupt availability of the affected service or application.

Mitigation Strategies

The immediate mitigation step is to upgrade the sequoia-openpgp library to version 2.1.0 or later, where the vulnerability in aes_key_unwrap has been fixed. Avoid processing untrusted encrypted messages containing PKESK or SKESK packets until the update is applied to prevent denial-of-service crashes. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart