DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7587-4WV6-M68M: Panic at the Keyring: Crashing rPGP with a Single Byte

#security #cve #cybersecurity #ghsa

Panic at the Keyring: Crashing rPGP with a Single Byte

Vulnerability ID: GHSA-7587-4WV6-M68M
CVSS Score: 7.5
Published: 2026-02-13

In the world of safe systems programming, Rust is the golden child. It promises to save us from the memory corruption sins of C and C++. But while Rust protects memory, it doesn't protect logic. A critical denial-of-service vulnerability was discovered in the rPGP library (and its dependency, the rsa crate) where a mathematically impossible RSA key component triggers a hard panic. By setting a prime factor to '1', an attacker can trick the underlying arithmetic engine into a division-by-zero scenario, crashing any application attempting to parse the key. This is a story about how 'safe' languages still need defensive coding.

TL;DR

The rPGP library (via the rsa crate < 0.9.10) contains a logic flaw in validating RSA private key components. By providing a crafted Secret Key Packet where one of the prime factors is set to 1, the library attempts to calculate modulus inverses using (p-1), resulting in a division-by-zero panic. This crashes the application process, leading to a Denial of Service (DoS) against keyservers, email clients, or signing services using the library.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-21895
  • CWE ID: CWE-703 (Unhandled Exception)
  • CVSS: 7.5 (High)
  • Attack Vector: Network
  • Impact: Denial of Service (Process Crash)
  • Root Cause: Division by Zero Panic

Affected Systems

  • Rust applications using rPGP crate
  • Rust applications using rsa crate directly (< 0.9.10)
  • OpenPGP Keyservers based on rPGP
  • Secure email gateways using Rust backends
  • rsa: < 0.9.10 (Fixed in: 0.9.10)
  • pgp: < 0.14.0 (Fixed in: Dependent on rsa update)

Code Analysis

Commit: 2926c91

Fixed validation of primes in RsaPrivateKey to reject 1

- if *prime < BigUint::one() {
+ if *prime <= BigUint::one() {
Enter fullscreen mode Exit fullscreen mode

Commit: 38efa49

Bump rsa dependency to 0.9.10

- rsa = { version = "0.9.9" }
+ rsa = { version = "0.9.10" }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Original issue report demonstrating the panic with p=1

Mitigation Strategies

  • Update dependency tree
  • Implement panic handlers (catch_unwind)
  • Input sanitization

Remediation Steps:

  1. Run cargo update -p rsa to upgrade to version 0.9.10 or later.
  2. Recompile any applications attempting to use the pgp crate.
  3. Audit code for other instances of BigUint usage where 1 or 0 might cause division errors.

References

Read the full report for GHSA-7587-4WV6-M68M on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)