Primary

Context

Rust `rsa` Crate Panic Vulnerability When Loading Private Keys with Primes Equal to One

Vulnerability

Patched

A vulnerability exists in the `rsa` crate, an RSA implementation in Rust, prior to version 0.9.10. When constructing an RSA private key from its components, the process panics if one of the primes is equal to one, instead of returning an appropriate error. This issue has been fixed in version 0.9.10.

Impact

The vulnerability can lead to a panic, causing a denial of service by abruptly terminating the program.

Reproduction

To reproduce this vulnerability, create an RSA private key using the `RsaPrivateKey::from_components` method. Include a prime that is equal to one in the components. The key construction will panic instead of handling the error gracefully.

Remediation

Users can upgrade to version 0.9.10 or later to address this vulnerability.

Added: Jan 8, 2026, 2:18 PM

Updated: Jan 8, 2026, 6:44 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.7

remediation

7.7

relevance

1.9

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.7

remediation

7.7

relevance

1.9

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Rust `rsa` Crate Panic Vulnerability When Loading Private Keys with Primes Equal to One

Vulnerability

Impact

Reproduction

Remediation

Affected Products

RustCrypto rsa

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating