CVE-2026-2625
Denial of Service in rust-rpm-sequoia via RPM Signature Parsing
Publication date: 2026-04-03
Last updated on: 2026-05-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| redhat | hardened_images | * |
| sequoia-pgp | rpm-sequoia | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in rust-rpm-sequoia and can be exploited by an attacker who provides a specially crafted RPM file. When the system attempts to verify the signature of this RPM file, the crafted file causes an error in the OpenPGP signature parsing code. This error leads to an unconditional termination of the rpm process.
As a result, the system experiences an application level denial of service, meaning it becomes unable to process RPM files for signature verification.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, avoid processing untrusted or suspicious RPM files using signature verification commands such as `rpm -Kv` or `rpm --checksig` until a patch or update is applied.
Restrict access to systems performing RPM signature verification to trusted users and environments to reduce the risk of malicious RPM files being supplied.
Monitor and review any automated workflows or continuous integration pipelines that perform RPM signature verification to ensure they do not process untrusted RPM files.
How can this vulnerability impact me? :
The primary impact of this vulnerability is an application level denial of service. Specifically, the rpm process will terminate unexpectedly when processing a maliciously crafted RPM file.
This means that the system will be unable to verify the signatures of RPM files, potentially disrupting package management operations that rely on signature verification.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to verify RPM package signatures using standard RPM command-line operations with potentially malicious RPM files.
- Use the command `rpm -Kv <rpm-file>` to check the signature of an RPM file.
- Alternatively, use `rpm --checksig <rpm-file>` to perform signature verification.
If the rpm process terminates unexpectedly or aborts during these operations, it may indicate the presence of the vulnerability when processing a crafted RPM file.