Fedora 43: Critical Issue in RNP Session Key Decryption Found
fedora
November 29, 2025
Version 0.18.1 Security Fixed critical issue where PKESK (public-key encrypted) session keys were generated as all-zero, allowing trivial decryption of messages encrypted with publ...
Summary
RNP is a set of OpenPGP (RFC4880) tools.
Update Information:
Version 0.18.1 Security Fixed critical issue where PKESK (public-key encrypted) session keys were generated as all-zero, allowing trivial decryption of messages encrypted with public keys only (CVE-2025-13470, CVE-2025-13402)
Topics Covered
Change Log
* Fri Nov 21 2025 Remi Collet
References
[ 1 ] Bug #2415870 - CVE-2025-13402 rnp: RNP PKESK Session Keys Generated as All\u2011Zero [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2415870
[ 2 ] Bug #2417035 - CVE-2025-13470 rnp: RNP: Confidentiality compromise due to uninitialized symmetric session key in Public-Key Encrypted Session Key (PKESK) packets [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2417035
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a96ccc98ca' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Name: rnp
Product: Fedora 43
Version: 0.18.1
Release: 1.fc43
Summary: OpenPGP (RFC4880) tools
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!