Summaryinfo

A vulnerability identified as problematic has been detected in sequoia-pgp sequoia Crate up to 1.20.x on Rust. This impacts the function RawCertParser. Performing a manipulation results in infinite loop. This vulnerability is known as CVE-2024-58261. Attacking locally is a requirement. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, was found in sequoia-pgp sequoia Crate up to 1.20.x on Rust. This affects the function RawCertParser. The manipulation with an unknown input leads to a infinite loop vulnerability. CWE is classifying the issue as CWE-835. The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. This is going to have an impact on availability. The summary by CVE is:

The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupported primary key type.

The advisory is shared at rustsec.org. This vulnerability is uniquely identified as CVE-2024-58261 since 07/27/2025. The exploitability is told to be difficult. An attack has to be approached locally. Technical details are known, but no exploit is available.

Upgrading to version 1.21.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2024-54821). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Rust Package

Vendor

• sequoia-pgp

Name

• sequoia Crate

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10
• 1.11
• 1.12
• 1.13
• 1.14
• 1.15
• 1.16
• 1.17
• 1.18
• 1.19
• 1.20

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion