cbcvebase.
CVE-2026-39829
published 2026-05-22

CVE-2026-39829: The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could…

PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.39%
30.8th percentile
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected

198 ranges· showing 25
VendorProductVersion rangeFixed in
advanced-cluster-securityrhacs-main-rhel8
advanced-cluster-securityrhacs-rhel8-operator
advanced-cluster-securityrhacs-roxctl-rhel8
advanced-cluster-securityrhacs-scanner-rhel8
advanced-cluster-securityrhacs-scanner-slim-rhel8
advanced-cluster-securityrhacs-scanner-v4-rhel8
assistedagent-preinstall-image-builder-rhel9
buildah_projectbuildah
cert-managerjetstack-cert-manager-acmesolver-rhel9
cert-managerjetstack-cert-manager-rhel9
complianceopenshift-security-profiles-operator-bundle
complianceopenshift-security-profiles-rhel8-operator
container-native-virtualizationvirt-api-rhel9
container-native-virtualizationvirt-artifacts-server-rhel9
container-native-virtualizationvirt-controller-rhel9
container-native-virtualizationvirt-exportproxy-rhel9
container-native-virtualizationvirt-exportserver-rhel9
container-native-virtualizationvirt-handler-rhel9
container-native-virtualizationvirt-launcher-rhel9
container-native-virtualizationvirt-operator-rhel9
container-tools_rhel8buildah
container-tools_rhel8podman
cryostatcryostat-storage-rhel9
devspacestraefik-rhel9
devworkspacedevworkspace-project-clone-rhel9

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.