Infinite Loop Vulnerability in Rust's Sequoia OpenPGP Library
CVE-2024-58261

2.9LOW

Key Information:

Vendor: Sequoia-pgp
Status: Sequoia
Vendor: CVE Published:; 27 July 2025

🔔 Create Sequoia-pgp Vulnerability Alert

What is CVE-2024-58261?

The sequoia-openpgp crate versions prior to 1.21.0 for Rust is susceptible to an infinite loop issue during RawCertParser operations. When an unsupported primary key type is encountered, the system generates a repeated error message, 'Reading a cert: Invalid operation: Not a Key packet.' This behavior can lead to application hangs, impacting the reliability and performance of Rust applications that utilize the sequoia-openpgp crate for cryptographic operations.

Affected Version(s)

sequoia 1.13.0 < 1.21.0

References

https://rustsec.org/advisories/RUSTSEC-2024-0345.html

https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106

https://crates.io/crates/sequoia-openpgp

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2025
Vulnerability Reserved
Jul 27, 2025