Fluid Attacks Database

Description

A flaw was found in the RSA crate, an RSA implementation in Rust. When an application attempts to create an RSA private key from its components, a remote attacker could provide a malformed prime value of '1'. This invalid input causes the application to panic, leading to a Denial of Service (DoS).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	rust-rsa	=0.9.10-1 \|\| =0.9.7-1 \|\| =0.9.9-1	-
debian 14	rust-rsa	=0.9.7-1 \|\| =0.9.9-1 \|\| >=0 <0.9.10-1	0.9.10-1
rpm rhel10	trustee-guest-components	-	-
rpm rhel10	rust-sequoia-sqv	-	-
rpm rhel10	virt-firmware-rs	-	-
rpm rhel10	rust-sequoia-sq	-	-
rpm rhel9	trustee-guest-components	-	-
cargo	rsa	>=0 <0.9.10	0.9.10

Aliases

1. CVE-2026-218952. NVD-2026-218953. OSV-DEBIAN-2026-218954. OSV-2026-218955. GHSA-9c48-w39g-hm266. GCVE-2026-218957. SECURITY-TRACKER-CVE-2026-21895

References

1. https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm262. https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.