GHSA-7587-4wv6-m68m: rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895

February 13, 2026

It was possible to trigger an unhandled edge case in the Rust Crypto rsa crate through rPGP packet parsing functionality, and crash the process that runs rPGP. This problem has been patched in a new rsa version. The new release of rPGP ensures a patched version of the rsa crate is in use, which prevents this issue.

References

github.com/advisories/GHSA-7587-4wv6-m68m
github.com/rpgp/rpgp
github.com/rpgp/rpgp/commit/38efa49ce18b3821649de9cd8dea88a959b833a5
github.com/rpgp/rpgp/pull/698
github.com/rpgp/rpgp/security/advisories/GHSA-7587-4wv6-m68m

Code Behaviors & Features

Detect and mitigate GHSA-7587-4wv6-m68m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →