Pgp vulnerabilities

CVE-2026-21895 [LOW] CWE-703 rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895 rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895 ### Summary It was possible to trigger an unhandled edge case in the Rust Crypto rsa crate through rPGP packet parsing functionality, and crash the process that runs rPGP. This problem has been patched in a new rsa version. The new release of rPGP ensures a patched version of the rsa crate i

CVE-2024-53857 [HIGH] CWE-770 rPGP Potential Resource Exhaustion when handling Untrusted Messages rPGP Potential Resource Exhaustion when handling Untrusted Messages During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered two vulnerabilities which allow attackers to trigger resource exhaustion vulnerabilities in `rpgp` by providing crafted messages. This affects general message parsing and decryption with symmetric keys. ### Impact Affected `rpgp`

CVE-2024-53856 [HIGH] CWE-130 rPGP Panics on Malformed Untrusted Input rPGP Panics on Malformed Untrusted Input During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered several reachable edge cases which allow an attacker to trigger `rpgp` crashes by providing crafted data. ### Impact When processing malformed input, `rpgp` can run into Rust panics which halt the program. This can happen in the following scenarios: * Parsing OpenPGP messages from b

CVE-2002-1977 [LOW] CVE-2002-1977: Network Associates PGP 7.0.4 and 7.1 does not time out according to the value set in the "Passphrase Network Associates PGP 7.0.4 and 7.1 does not time out according to the value set in the "Passphrase Cache" option, which could allow attackers to open encrypted files without providing a passphrase.

CVE-2001-1016 [HIGH] CVE-2001-1016: PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Busin PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which

CVE-2001-0435 [MEDIUM] CVE-2001-0435: The split key mechanism used by PGP 7.0 allows a key share holder to obtain access to the entire key The split key mechanism used by PGP 7.0 allows a key share holder to obtain access to the entire key by setting the "Cache passphrase while logged on" option and capturing the passphrases of other share holders as they authenticate.

CVE-2001-0265 [LOW] CVE-2001-0265: ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers to create files in arbitrary lo ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers to create files in arbitrary locations via a malformed ASCII armored file.

CVE-2000-0678 [MEDIUM] CVE-2000-0678: PGP 5.5.x through 6.5.3 does not properly check if an Additional Decryption Key (ADK) is stored in t PGP 5.5.x through 6.5.3 does not properly check if an Additional Decryption Key (ADK) is stored in the signed portion of a public certificate, which allows an attacker who can modify a victim's public certificate to decrypt any data that has been encrypted with the modified certificate.

CVE-2000-0445 [LOW] CVE-2000-0445: The pgpk command in PGP 5.x on Unix systems uses an insufficiently random data source for non-intera The pgpk command in PGP 5.x on Unix systems uses an insufficiently random data source for non-interactive key pair generation, which may produce predictable keys.