CVE-2026-2625
Received Received - Intake
Denial of Service in rust-rpm-sequoia via RPM Signature Parsing

Publication date: 2026-04-03

Last updated on: 2026-05-01

Assigner: Red Hat, Inc.

Description
A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2625
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
redhat hardened_images *
sequoia-pgp rpm-sequoia *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in rust-rpm-sequoia and can be exploited by an attacker who provides a specially crafted RPM file. When the system attempts to verify the signature of this RPM file, the crafted file causes an error in the OpenPGP signature parsing code. This error leads to an unconditional termination of the rpm process.

As a result, the system experiences an application level denial of service, meaning it becomes unable to process RPM files for signature verification.

Mitigation Strategies

To mitigate this vulnerability immediately, avoid processing untrusted or suspicious RPM files using signature verification commands such as `rpm -Kv` or `rpm --checksig` until a patch or update is applied.

Restrict access to systems performing RPM signature verification to trusted users and environments to reduce the risk of malicious RPM files being supplied.

Monitor and review any automated workflows or continuous integration pipelines that perform RPM signature verification to ensure they do not process untrusted RPM files.

Impact Analysis

The primary impact of this vulnerability is an application level denial of service. Specifically, the rpm process will terminate unexpectedly when processing a maliciously crafted RPM file.

This means that the system will be unable to verify the signatures of RPM files, potentially disrupting package management operations that rely on signature verification.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by attempting to verify RPM package signatures using standard RPM command-line operations with potentially malicious RPM files.

  • Use the command `rpm -Kv <rpm-file>` to check the signature of an RPM file.
  • Alternatively, use `rpm --checksig <rpm-file>` to perform signature verification.

If the rpm process terminates unexpectedly or aborts during these operations, it may indicate the presence of the vulnerability when processing a crafted RPM file.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2625. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart