Primary

Context

Sequoia OpenPGP Remote Denial-of-Service Vulnerability via Crafted Encrypted Message

Vulnerability

A denial-of-service vulnerability has been identified in Sequoia OpenPGP versions prior to 2.1.0. The issue arises in the 'aes_key_unwrap' function, which panics when it receives a ciphertext that is too short. This behavior can be exploited by a remote attacker who sends an encrypted message with a modified PKESK or SKESK packet, causing the application to crash when the message is decrypted.

Impact

Exploitation of this vulnerability leads to a crash of the application processing the crafted encrypted message.

Reproduction

The vulnerability can be reproduced by sending an encrypted message with a PKESK or SKESK packet that has been intentionally modified to create a short ciphertext. When the recipient application attempts to decrypt the message, it will encounter a panic due to the underflow, causing the application to crash.

Remediation

Users can upgrade to Sequoia OpenPGP version 2.1.0 or later to address this vulnerability.

Added: Dec 14, 2025, 5:18 AM

Updated: Dec 14, 2025, 5:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

1.4

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

1.4

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sequoia OpenPGP Remote Denial-of-Service Vulnerability via Crafted Encrypted Message

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating