CVE-2026-2625: Improper Verification of Cryptographic Signature in Red Hat Red Hat Hardened Images
A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.
AI Analysis
Technical Summary
The vulnerability CVE-2026-2625 affects the rust-rpm-sequoia component in Red Hat Hardened Images. It arises from improper verification of cryptographic signatures during RPM package signature validation. A crafted RPM file can cause an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This causes a denial of service at the application level by disrupting RPM signature verification. Red Hat has issued a security update (rpm-sequoia-1.10.1.1-1.2.hum1) to fix this issue. The vulnerability has a CVSS v3.1 score of 4.0 (medium severity), with no confidentiality or integrity impact, only availability impact. No exploits are known to be active in the wild.
Potential Impact
Successful exploitation results in an application-level denial of service by terminating the rpm process during signature verification. This prevents the system from processing RPM files for signature verification, potentially disrupting package management operations. There is no impact on confidentiality or integrity. No known exploits in the wild have been reported.
Mitigation Recommendations
Red Hat has released an official security update that addresses this vulnerability in rust-rpm-sequoia version 1.10.1.1-1.2.hum1. Applying this update to Red Hat Hardened Images RPMs will remediate the issue. Users should follow Red Hat's advisory instructions at https://access.redhat.com/security/cve/CVE-2026-2625 to apply the update. Patch status is confirmed by the vendor advisory. No additional mitigation steps are indicated.
CVE-2026-2625: Improper Verification of Cryptographic Signature in Red Hat Red Hat Hardened Images
Description
A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This issue results in an application level denial of service, making the system unable to process RPM files for signature verification.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-2625 affects the rust-rpm-sequoia component in Red Hat Hardened Images. It arises from improper verification of cryptographic signatures during RPM package signature validation. A crafted RPM file can cause an error in the OpenPGP signature parsing code, leading to an unconditional termination of the rpm process. This causes a denial of service at the application level by disrupting RPM signature verification. Red Hat has issued a security update (rpm-sequoia-1.10.1.1-1.2.hum1) to fix this issue. The vulnerability has a CVSS v3.1 score of 4.0 (medium severity), with no confidentiality or integrity impact, only availability impact. No exploits are known to be active in the wild.
Potential Impact
Successful exploitation results in an application-level denial of service by terminating the rpm process during signature verification. This prevents the system from processing RPM files for signature verification, potentially disrupting package management operations. There is no impact on confidentiality or integrity. No known exploits in the wild have been reported.
Mitigation Recommendations
Red Hat has released an official security update that addresses this vulnerability in rust-rpm-sequoia version 1.10.1.1-1.2.hum1. Applying this update to Red Hat Hardened Images RPMs will remediate the issue. Users should follow Red Hat's advisory instructions at https://access.redhat.com/security/cve/CVE-2026-2625 to apply the update. Patch status is confirmed by the vendor advisory. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-02-17T13:16:29.204Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-2625","vendor":"Red Hat"}]
Threat ID: 69d00aca0a160ebd924e2a81
Added to database: 4/3/2026, 6:45:30 PM
Last enriched: 5/2/2026, 1:53:43 AM
Last updated: 5/20/2026, 9:39:56 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.