Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
rPGP Fails to Detect Tampered Encrypted Data
GHSA-c7ph-f7jm-xv4w
Summary
rPGP's encrypted data protection may not work as expected, potentially exposing sensitive information if an unauthorized person accesses it. This is because rPGP doesn't always detect when encrypted data has been tampered with. To address this issue, update to the latest version of rPGP.
What to do
- Update pgp to version 0.19.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pgp | > 0.16.0-alpha.0 , <= 0.19.0 | 0.19.0 |
Original title
rPGP's integrity protection of encrypted data was not always checked
Original description
### Summary
For some messages, rPGP returned incorrectly decrypted data without signaling that integrity protection was invalid.
### Details
When decrypting SEIPD (Symmetrically Encrypted and Integrity Protected Data Packet), rPGP previously did not under all circumstances report the absence of valid integrity protection to callers of the library.
### Impact
While the resulting invalid decryption output is not attacker controlled, its contents may be a security concern if an attacker can gain access to it.
### Attribution
Discovered internally in the course of rPGP development work.
For some messages, rPGP returned incorrectly decrypted data without signaling that integrity protection was invalid.
### Details
When decrypting SEIPD (Symmetrically Encrypted and Integrity Protected Data Packet), rPGP previously did not under all circumstances report the absence of valid integrity protection to callers of the library.
### Impact
While the resulting invalid decryption output is not attacker controlled, its contents may be a security concern if an attacker can gain access to it.
### Attribution
Discovered internally in the course of rPGP development work.
ghsa CVSS4.0
6.3
Vulnerability type
CWE-354
Published: 13 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026