UBUNTU-CVE-2026-2625

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-2625

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2625.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-2625

Upstream

CVE-2026-2625

Published

2026-04-03T19:17:00Z

Modified

2026-05-20T16:24:48.994265694Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.

References

Affected packages

Ubuntu:25.10 / rust-rpm-sequoia

Package

Name: rust-rpm-sequoia
Purl: pkg:deb/ubuntu/rust-rpm-sequoia?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.0-3

1.8.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "librpm-sequoia-1",
            "binary_version": "1.8.0-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2625.json"

Ubuntu:26.04:LTS / rust-rpm-sequoia