GHSA-C7PH-F7JM-XV4W

Vulnerability from github – Published: 2026-02-13 20:55 – Updated: 2026-02-13 20:55
VLAI?
Summary
rPGP's integrity protection of encrypted data was not always checked
Details

Summary

For some messages, rPGP returned incorrectly decrypted data without signaling that integrity protection was invalid.

Details

When decrypting SEIPD (Symmetrically Encrypted and Integrity Protected Data Packet), rPGP previously did not under all circumstances report the absence of valid integrity protection to callers of the library.

Impact

While the resulting invalid decryption output is not attacker controlled, its contents may be a security concern if an attacker can gain access to it.

Attribution

Discovered internally in the course of rPGP development work.

Severity ?
6.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "pgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.16.0-alpha.0"
            },
            {
              "fixed": "0.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-13T20:55:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nFor some messages, rPGP returned incorrectly decrypted data without signaling that integrity protection was invalid.\n\n### Details\nWhen decrypting SEIPD (Symmetrically Encrypted and Integrity Protected Data Packet), rPGP previously did not under all circumstances report the absence of valid integrity protection to callers of the library.\n\n### Impact\nWhile the resulting invalid decryption output is not attacker controlled, its contents may be a security concern if an attacker can gain access to it.\n\n### Attribution\nDiscovered internally in the course of rPGP development work.",
  "id": "GHSA-c7ph-f7jm-xv4w",
  "modified": "2026-02-13T20:55:20Z",
  "published": "2026-02-13T20:55:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-c7ph-f7jm-xv4w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rpgp/rpgp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rPGP\u0027s integrity protection of encrypted data was not always checked"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.