CVE-2026-21895

The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7	Patch
https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*

History

17 Jun 2026, 10:19

Type	Values Removed	Values Added
Summary		(es) La caja 'rsa' es una implementación RSA escrita en Rust. Antes de la versión 0.9.10, al crear una clave privada RSA a partir de sus componentes, la construcción entra en pánico en lugar de devolver un error cuando uno de los números primos es '1'. La versión 0.9.10 soluciona el problema.

12 Mar 2026, 19:27

Type	Values Removed	Values Added
First Time		Rustcrypto Rustcrypto rsa
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
References	~~() https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7 -~~	() https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7 - Patch
References	~~() https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 -~~	() https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 - Vendor Advisory
CPE		cpe:2.3:a:rustcrypto:rsa::::::rust::*

08 Jan 2026, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-08 14:15

Updated : 2026-06-17 10:19

NVD link : CVE-2026-21895

Mitre link : CVE-2026-21895

CVE.ORG link : CVE-2026-21895

JSON object : View

Products Affected

rustcrypto

rsa

CWE

CWE-703

Improper Check or Handling of Exceptional Conditions

{"id": "CVE-2026-21895", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-21895", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T14:52:10.453165Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "RustCrypto", "product": "RSA", "versions": [{"status": "affected", "version": "< 0.9.10"}]}]}], "published": "2026-01-08T14:15:57.720", "references": [{"url": "https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-703"}]}], "descriptions": [{"lang": "en", "value": "The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue."}, {"lang": "es", "value": "La caja 'rsa' es una implementaci\u00f3n RSA escrita en Rust. Antes de la versi\u00f3n 0.9.10, al crear una clave privada RSA a partir de sus componentes, la construcci\u00f3n entra en p\u00e1nico en lugar de devolver un error cuando uno de los n\u00fameros primos es '1'. La versi\u00f3n 0.9.10 soluciona el problema."}], "lastModified": "2026-06-17T10:19:06.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "491081DD-0767-47F2-B946-541C68473B90", "versionEndExcluding": "0.9.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}