CVE-2025-13470
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-13470
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-13470.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-13470
- Downstream
- Published
- 2025-11-21T17:15:50.473Z
- Modified
- 2025-11-27T03:17:11.142706Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:H/U:Red CVSS Calculator
- Summary
- [none]
- Details
-
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array.
Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality.
The vulnerability affects only public key encryption (PKESK packets). Passphrase-based encryption (SKESK packets) is not affected.
Root cause: Vulnerable session key buffer used in PKESK packet generation.
The defect was introduced in commit
7bd9a8dc356aae756b40755be76d36205b6b161awhere initialization logic insideencrypted_build_skesk()only randomized the key for the SKESK path and omitted it for the PKESK path. - References
-
- https://access.redhat.com/security/cve/cve-2025-13402
- https://aur.archlinux.org/packages/rnp
- https://github.com/rnpgp/rnp/releases/tag/v0.18.1
- https://launchpad.net/ubuntu/+source/rnp
- https://packages.gentoo.org/packages/dev-util/librnp
- https://open.ribose.com/advisories/ra-2025-11-20/
- https://bugzilla.redhat.com/show_bug.cgi?id=2415863
- https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a
Affected packages
Git / github.com/rnpgp/rnp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rnpgp/rnp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v0.*
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.13.1
v0.14.0
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.17.0
v0.17.1
v0.18.0
v0.9.1
v0.9.2
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-0a98045d",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_start_aead"
},
"digest": {
"length": 2731.0,
"function_hash": "334572575323991751022169598505903864386"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-243d9dff",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_add_password_v5"
},
"digest": {
"length": 1263.0,
"function_hash": "290657140769169718664701902527016912585"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-26eb14b9",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "init_encrypted_dst"
},
"digest": {
"length": 3274.0,
"function_hash": "139660214092104788887062027654082880736"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-3be9859f",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_dst_finish"
},
"digest": {
"length": 988.0,
"function_hash": "215392970274102627723257815810078238721"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-4409f631",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_add_password"
},
"digest": {
"length": 601.0,
"function_hash": "38679954783669945354782881740662441887"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-5ab5390d",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_start_cfb"
},
"digest": {
"length": 1134.0,
"function_hash": "157956384825293113905191577177184797679"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-5d2e7685",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_dst_close"
},
"digest": {
"length": 337.0,
"function_hash": "112190713094663324569957111650972456451"
}
},
{
"signature_type": "Line",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-5fd7ed22",
"target": {
"file": "src/librepgp/stream-write.cpp"
},
"digest": {
"line_hashes": [
"116363240060281475136867494909710164421",
"168918251817325214516864204879938397714",
"290830996141097746986431584586184751902",
"49638027243262153345810365080755955672",
"201383528598646824358171611942850877759",
"163911156278416785472165893839339454060",
"149201111913575435317609373362635837476",
"194946161046034464481211751455825646544",
"6378840425286330319250018310922629541",
"139345267043036095271963208209079050758",
"42628927958135572648310416298533321986",
"123525658837711219981599523973488318264",
"263857703748303504305448318511207217474",
"176084917567854671282604234187021203790",
"107431729603585797612411714882674911284",
"166924501037743242093145298648752134614",
"120851373450381594072044618869135274624",
"284796253137638855746668631054098773241",
"332933392540308746183241739787154661623",
"120908190255233490491624745324580652568",
"209178656013608791730348315020494280167",
"277237961123887433584839045199862222578",
"185954447022927644043673202754936331168",
"157867643279241071721903831846753043109",
"294400384197731501977064204204745786638",
"78939096944561531200841369451394459040",
"24566552519040797115090142161717287479",
"15546996465871056502415075895044808329",
"50000874894022809101211888984438256943",
"109015707609468486797133597894538395002",
"249394563004178903191023174396654394156",
"186108391031113425257464118919330923663",
"129224321015016595667109025299829246136",
"86427324277641690400927736789274903195",
"18105293222532024331505337081741446578",
"116878017189965765359572068890289000104",
"203887773585894174750478802653705196964",
"83584945039432347349809858111321796987",
"311843877892632310492350254118272839381",
"308650148516377801401598271108969828693",
"165564912760914546350577574880366656158",
"95799162837827107456952005547409058493",
"87523755505646424781965787753298871856",
"164233227868501821082050836930656998671",
"35949887212158057885862312020260994148",
"314587427204835170642771501376568475257",
"320957135794795324006497030527237869147",
"116094177451016929277018152718880144531",
"31809806463035881901491110774918439609",
"24478500452831810792432603365414697872",
"69780223424727825893463120127949395848",
"242212088774243419696169457261245666945",
"16330490571771389361148057103273407463",
"64604669837636331770938008784896102026",
"253009012006250371102834719544508469104",
"168510604315597173948861449341443947260",
"263734477194587725674247413026212870",
"169108328853110325641167910569832216458",
"255037872780404618831472363724978814791",
"155761435225886969125154742553344030161",
"69473570867883700482010106134529752090",
"76776978665875879905880706111890311562",
"158606075105351439214277571194848463411",
"126367180428838452116005188417821130405",
"231027501334043412185355014366229019811",
"253264405300166733375331828176072216446",
"94814634454539592128010386177463771547",
"163268689616354864653177910925936115829",
"80985856719997444662080731138678847556",
"246919260417377484061791342678909913603",
"24752278374011849182027943640849942287",
"218527999194016430853616457469763229010",
"16946141786359351045824497147584089886",
"178742187901807833730661771643098457842",
"317983266309073313965650583201342058988",
"107891296891594112537376268672124231876",
"18819769268031140170439138054515211674",
"196021425505131523422023836790297530264",
"45218975861367321591779887517936837082",
"309485831556368871917558699156421549049",
"220938663628243058456972884564579127560",
"206611562496164545492364288045115065656",
"81307306193703005751855881550869669089",
"130286233690792300636264951885767132033",
"248189926773386308309781974597598816875",
"17648382681612494630940672807048599050",
"121436683728621207050248402067020012110",
"245103879549990564082253175972149599713",
"56956962315453038776109143548725793717",
"173328899131054642926910914953123249648",
"158090087587945903004873710886656312922",
"180005176709017641459104980059005146837",
"144525619153921113295221573391922926856",
"136378025599107815382693693685757674486",
"307450655171539018763626408306607052445",
"29019997486179922318124857388115798778",
"57679712143663037465140520845980197503",
"253280228526063372753983762194203504111",
"261114359866665113276006565634973247477",
"65565220120349283334443599826238376283",
"159229738938020976728873472174970501192",
"312514313376134494699709941481040692900",
"225793452636337877384498723681763056186",
"192098775850779257755626337810534248819",
"240730911988380672798110032395374511411",
"179799836414875629496372115466847583397",
"223582645189956374563268592406603138389",
"80590430120188780829219741290470220553",
"235413527928341297743524945398321539352",
"328856678273842504694984422361143402885",
"117149078347141534519452402626111350546",
"152165800478456386217491881953709372888",
"239107420695744328848398173141537237988",
"47644404171400066487308562839449276863",
"316668605630384643601325125511647192535",
"300977749905261452033640753492415773552",
"189438513410859928698610883519821813846",
"142807515591260601703969938555691573255",
"179230879123885439858147319793692858696",
"3636921468633357330742563738578528943",
"277104685738158207851252108214472745810",
"178660415508254523478104659895993653501",
"320684803638106278978886676883109018899",
"279991755621699548116789776604257944911",
"133207477878178361215990009869627351566",
"150331730021539756907232093008988650650",
"69061206700419433040290901108939308902",
"243152149026994952504558994472552852788",
"53009526909354594243920789249532632313",
"70571903584337538176818748136324382885",
"32548199905411746650363711175905365693",
"19850716537909443724284701788788574416",
"331743679077493646667146324788458372726",
"260000205867383909776474492926921231464",
"303829862467931255609121211172367169887",
"206628262774684415704610827778363964002",
"29541549432131971458074417309592360600",
"251870698383787956341315634925321182681",
"187999780772806539717904057102660534936",
"188241688397544870279066075544224706192",
"189527916476383575609466796551816295781",
"284848521238549711051737603834933066937",
"133186110091876240718103732959489170894",
"83921484357989982721808811417377391770",
"263101455480392439571458430908238314727",
"329233105827242975568277351633089229149",
"280836504257275314340962162562481797518",
"320926536038565505218193719180546870787",
"269602340087322613003590008696540129087",
"180239066730679992079904954877733869081",
"39584717696278532879663843408362967451",
"271464898022306468493497681865168630888",
"5837079052712641855044293869985952719",
"31266539165134461048622216917980205672",
"141068375047250483033997547004990223269",
"321200643454801740563434844357064276699",
"252865275349474519621436801138816006097",
"85548023975701221586839345216107460773",
"306265128523540484262612570785891073665",
"144290121302206641461181499631027854317",
"260962232840219481409700869019483500031",
"239449006234697576025163604115154389462",
"335699683440229921863627557070232764513",
"60418659475049334970401649979767776736",
"246886529662957285973074699951086099174",
"183345819642224791689888672657443926835",
"241300481006115071632808264668593779251",
"148844328899115171838214717348762790131",
"97291835408891990907769380814653667636",
"34053424919611978155342741925946325214",
"19124324162997410074534474109639512968",
"113060459306347213952211176158655541843",
"267004474474049460232735829250223201274",
"233310103392662699911164629180879056884",
"296563449650444386092591193147404831962",
"294297134579052436036575947037895220859",
"104839479056505504392859494278001940791",
"294606208739869913006301627622967236172",
"227554174137768290579130734089437814465",
"32619221679946292981522201412775330864",
"217430653306655015565074641438775791694",
"83430721960770099582261911359963846830",
"337975164657052937936945408834006952527",
"303744430732721794966052655542513321797",
"35311312407731292067077826581968308429",
"90636172011275662204437088378384045182",
"113541900411131571921182296802168624398",
"206020124141744477007826804879901086552",
"275084046237580086905554520051412393676",
"187126446139765119363591676250838865342",
"115530887972715045515396293494745021031",
"264793007929031796475904968621922337605",
"100258030418519097011254205273811149900",
"202866911954654811835300307977231156055",
"293990703104612791610270278541607078526",
"335117864123800871532869273440355219856",
"73362729762934953173603965673386748184",
"126564845444872654368937104562507931726",
"240970169824828781161900689297767694788",
"82796992305522342924662975726749634379",
"156049290634990286702527177703090361832",
"75944430617867274331995415887739385396",
"301638312639556511008646649621010100894",
"316130962395959848152998718900359869120",
"97583880386616884819715941046742990291",
"217483335451015279863760707212457242586",
"224856884154299722392102897973100668571",
"321184205010060608957620693039913283329",
"187534147849966658823891873765687659040",
"125841339587041280704061213826340198926",
"223131957002246461769557294161070795100",
"339192981469714927891470436080150768165",
"274826729173868791812412860906434077759",
"124740294758055529610614601330655592598",
"100406986190474820319180675650347427086",
"232500517603828586620656881589640250733"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-6111512d",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_add_password_v4"
},
"digest": {
"length": 759.0,
"function_hash": "12206648461359694837003066946706332726"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-7dffa9f8",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_add_recipient"
},
"digest": {
"length": 2185.0,
"function_hash": "151224583865298217483119165486463627375"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-918e89b8",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_dst_write_aead"
},
"digest": {
"length": 1805.0,
"function_hash": "185921578896620476784582518763990412632"
}
},
{
"signature_type": "Function",
"source": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-13470-c467e471",
"target": {
"file": "src/librepgp/stream-write.cpp",
"function": "encrypted_dst_write_cfb"
},
"digest": {
"length": 705.0,
"function_hash": "147498955786073055931311859136498923196"
}
}
]