Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
rPGP crashes when parsing deeply nested messages
GHSA-8h58-w33p-wq3g
Summary
rPGP versions before 0.19.0 can crash if it receives a message with many nested layers. This could allow an attacker to make rPGP applications crash. Update to rPGP 0.19.0 to fix this issue.
What to do
- Update pgp to version 0.19.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pgp | > 0.16.0-alpha.0 , <= 0.19.0 | 0.19.0 |
Original title
rPGP affected by crash in message handling for deeply nested messages
Original description
### Summary
Previous rPGP versions could be caused to crash with a "stack overflow" when parsing messages that contain deeply nested message layers, such as messages with many signatures.
rPGP 0.19.0 resolves this issue with a more robust message handling implementation (via https://github.com/rpgp/rpgp/pull/625).
### Impact
An attacker could cause applications to crash in rPGP's message parsing subsystem, when applications attempt to ingest messages.
### Attribution
Discovered internally during rPGP development, using a fuzz test suite previously contributed by Christian Reitter.
Previous rPGP versions could be caused to crash with a "stack overflow" when parsing messages that contain deeply nested message layers, such as messages with many signatures.
rPGP 0.19.0 resolves this issue with a more robust message handling implementation (via https://github.com/rpgp/rpgp/pull/625).
### Impact
An attacker could cause applications to crash in rPGP's message parsing subsystem, when applications attempt to ingest messages.
### Attribution
Discovered internally during rPGP development, using a fuzz test suite previously contributed by Christian Reitter.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-121
Stack-based Buffer Overflow
Published: 13 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026