Description
The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
Published: 2026-01-08
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via panic during RSA private key construction
Action: Patch immediately
AI Analysis

Impact

The vulnerability lies in the RustCrypto RSA crate, an RSA implementation in Rust. In releases prior to 0.9.10, constructing a private key from its components triggers a panic when one of the primes equals 1, instead of returning an error. This panic abruptly terminates the host process, effectively causing a denial of service.

Affected Systems

All versions of the RustCrypto RSA crate older than 0.9.10 are affected, regardless of other dependencies. The fix is shipped in version 0.9.10 and later, where prime‑equals‑one is handled safely without panic.

Risk and Exploitability

The CVSS score of 2.7 categorizes the issue as low severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, further reducing its relevance. Exploitation would require an attacker to supply key parameters that contain a prime of 1, a condition that is unlikely to arise in normal use but could be forced in a malicious payload or via dependency injection, leading to a process crash but not to arbitrary code execution.

Generated by OpenCVE AI on April 18, 2026 at 07:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the rsa crate to version 0.9.10 or later to eliminate the panic condition.
  • Validate all externally supplied RSA key components to ensure no prime value of 1 is used before attempting key construction.
  • Apply runtime checks or use vendor‑provided validation mechanisms to guard against invalid key parameters.

Generated by OpenCVE AI on April 18, 2026 at 07:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9c48-w39g-hm26 rsa crate has potential panic on a prime being equal to 1
History

Thu, 12 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustcrypto
Rustcrypto rsa
Vendors & Products Rustcrypto
Rustcrypto rsa

Fri, 09 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
Title rsa crate has potential panic on a prime being equal to 1
Weaknesses CWE-703
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rustcrypto Rsa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:55:13.043Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21895

cve-icon Vulnrichment

Updated: 2026-01-08T14:52:13.054Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T14:15:57.720

Modified: 2026-03-12T19:27:31.327

Link: CVE-2026-21895

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-08T14:06:29Z

Links: CVE-2026-21895 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses