Skip to content

Potential panic on a prime being equal to 1

Low
dignifiedquire published GHSA-9c48-w39g-hm26 Jan 6, 2026

Package

cargo rsa (Rust)

Affected versions

<= 0.9.9

Patched versions

>= 0.9.10

Description

When creating a RSA private key from its components, the construction panics, instead of returning an error, when one of the primes is 1.

Discovered by Christian Reitter from Radically Open Security during a security review for Proton AG.

Severity

Low

CVE ID

CVE-2026-21895

Weaknesses

No CWEs

Credits