Medium severity4.0NVD Advisory· Published Apr 3, 2026· Updated May 1, 2026

CVE-2026-2625

Description

A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.

Affected products

Red Hat/Hardened Images
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
Sequoia Pgp/Rpm Sequoia
cpe:2.3:a:sequoia-pgp:rpm-sequoia:-:*:*:*:*:rust:*:*
Red Hat/Enterprise Linux2 versions
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2026:12682nvdThird Party Advisory
access.redhat.com/security/cve/CVE-2026-2625nvdMitigationThird Party Advisory
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000