CVE-2026-2625

Опубликовано: 17 фев. 2026

Источник: redhat

CVSS3: 4

Описание

A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.

Отчет

This MODERATE impact application level denial of service vulnerability. A specially crafted RPM file can trigger a Rust panic during OpenPGP signature verification, causing the rpm process to abort. This issue can be exploited without privileges or user interaction by processing a malicious RPM file, for example, via rpm -Kv or rpm --checksig.

Меры по смягчению последствий

Avoid processing untrusted or attacker-controlled RPM files with rpm -Kv or rpm --checksig. Use isolated environments or additional validation layers when handling untrusted RPM artifacts.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 10	rust-rpm-sequoia	Fix deferred
Red Hat Enterprise Linux 9	rust-rpm-sequoia	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-347

https://bugzilla.redhat.com/show_bug.cgi?id=2440357rust-rpm-sequoia: rust-rpm-sequoia: Denial of Service via crafted RPM file during signature verification

4 Medium

CVSS3

Связанные уязвимости

CVE-2026-2625

ubuntu

около 1 месяца назад

[Unknown description]

CVE-2026-2625

debian

Описание отсутствует

4 Medium

CVSS3