Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
rPGP Crashes on Malicious PGP Key
GHSA-7587-4wv6-m68m
Summary
The rPGP software can crash if it receives a specially crafted PGP key. This can happen if an attacker sends a malicious key to the application. To fix this, update to the latest version of rPGP, which includes a patched version of a underlying library that prevents the issue. If you're using an older version of rPGP, you can also manually update the underlying library to the patched version.
What to do
- Update pgp to version 0.19.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pgp | > 0.16.0-alpha.0 , <= 0.19.0 | 0.19.0 |
Original title
rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895
Original description
### Summary
It was possible to trigger an unhandled edge case in the Rust Crypto rsa crate through rPGP packet parsing functionality, and crash the process that runs rPGP. This problem has been patched in a new rsa version. The new release of rPGP ensures a patched version of the rsa crate is in use, which prevents this issue.
### Details
While parsing a special RSA secret key packet, rPGP calls the rsa crate with the provided key. On vulnerable versions, this results in a Rust "panic" during key construction. Note that an attacker can trigger this situation even in places where applications don't expect to handle foreign key material, for example while attempting to receive a message.
For more information on the rsa crate vulnerability, see https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 and https://github.com/RustCrypto/RSA/pull/624.
In rPGP, this has been fixed via https://github.com/rpgp/rpgp/pull/698.
### Impact
This issue impacts availability (i.e. applications can crash).
Affected rPGP versions: rPGP 0.16.0-alpha.0 to 0.18.0
Vulnerable rsa versions: all before version 0.9.10
### Workaround
The issue depends on the combination of affected rPGP and rsa versions. Users of affected rPGP versions can pin the patched rsa 0.9.10 via a cargo lockfile to mitigate the issue.
### Attribution
Discovered by Christian Reitter from Radically Open Security during a security review for Proton AG.
It was possible to trigger an unhandled edge case in the Rust Crypto rsa crate through rPGP packet parsing functionality, and crash the process that runs rPGP. This problem has been patched in a new rsa version. The new release of rPGP ensures a patched version of the rsa crate is in use, which prevents this issue.
### Details
While parsing a special RSA secret key packet, rPGP calls the rsa crate with the provided key. On vulnerable versions, this results in a Rust "panic" during key construction. Note that an attacker can trigger this situation even in places where applications don't expect to handle foreign key material, for example while attempting to receive a message.
For more information on the rsa crate vulnerability, see https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 and https://github.com/RustCrypto/RSA/pull/624.
In rPGP, this has been fixed via https://github.com/rpgp/rpgp/pull/698.
### Impact
This issue impacts availability (i.e. applications can crash).
Affected rPGP versions: rPGP 0.16.0-alpha.0 to 0.18.0
Vulnerable rsa versions: all before version 0.9.10
### Workaround
The issue depends on the combination of affected rPGP and rsa versions. Users of affected rPGP versions can pin the patched rsa 0.9.10 via a cargo lockfile to mitigate the issue.
### Attribution
Discovered by Christian Reitter from Radically Open Security during a security review for Proton AG.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-703
Published: 13 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026