Description
A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.
Published: 2026-04-03
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application‑level Denial of Service
Action: Apply Patch
AI Analysis

Impact

A flaw in rust‑rpm‑sequoia allows an attacker to craft a malicious RPM file that, when verified, triggers an error in the OpenPGP signature parsing code. This error causes the rpm tool to terminate unconditionally, resulting in a denial of service at the application level. The disruption limits the system’s ability to process RPM files for signature verification, potentially breaking package management and enforcement of software integrity.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux 9 and 10, as well as Red Hat Hardened Images that incorporate the rust‑rpm‑sequoia component. No specific version numbers are provided, indicating that any installation of the affected rpm package that includes rust‑rpm‑sequoia may be impacted.

Risk and Exploitability

The CVSS score of 4.0 suggests moderate severity, and the EPSS score of less than 1% indicates a very low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying that no widespread, known exploits are in circulation. Attackers would need to supply a crafted RPM file to the target system’s rpm verifier, either by local execution or via any mechanism that allows an attacker to trigger signature checks on the host. Because the flaw causes an unconditional termination of the rpm process, an attacker can render the rpm tool unusable but cannot gain code execution or system compromise.

Generated by OpenCVE AI on April 15, 2026 at 16:40 UTC.

Remediation

Vendor Workaround

Avoid processing untrusted or attacker-controlled RPM files with rpm -Kv or rpm --checksig. Use isolated environments or additional validation layers when handling untrusted RPM artifacts.

OpenCVE Recommended Actions

  • Install the latest Red Hat updates that contain the fix for rust‑rpm‑sequoia
  • Configure systems to avoid running rpm verification on untrusted or attacker‑controlled RPM files
  • Implement isolation or additional validation layers when processing external RPM artifacts

Generated by OpenCVE AI on April 15, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.
Title rust-rpm-sequoia: rust-rpm-sequoia: Denial of Service via crafted RPM file during signature verification Rust-rpm-sequoia: rust-rpm-sequoia: denial of service via crafted rpm file during signature verification
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
References

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Rust-rpm-sequoia
Rust-rpm-sequoia rust-rpm-sequoia
Vendors & Products Rust-rpm-sequoia
Rust-rpm-sequoia rust-rpm-sequoia

Wed, 18 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title rust-rpm-sequoia: rust-rpm-sequoia: Denial of Service via crafted RPM file during signature verification
Weaknesses CWE-347
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Subscriptions

Redhat Enterprise Linux Hummingbird
Rust-rpm-sequoia Rust-rpm-sequoia
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T18:52:06.906Z

Reserved: 2026-02-17T13:16:29.204Z

Link: CVE-2026-2625

cve-icon Vulnrichment

Updated: 2026-04-08T18:52:03.161Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T19:17:22.340

Modified: 2026-04-07T13:20:55.200

Link: CVE-2026-2625

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-17T12:34:00Z

Links: CVE-2026-2625 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses