{"id":"CVE-2025-13470","details":"In RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.\n\nAny data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.\n\nThe vulnerability affects only public key encryption (PKESK packets).  Passphrase-based encryption (SKESK packets) is not affected.\n\nRoot cause: Vulnerable session key buffer used in PKESK packet generation.\n\n\n\nThe defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path.","modified":"2026-04-12T19:53:21.287989Z","published":"2025-11-21T17:15:50.473Z","related":["openSUSE-SU-2025:15762-1","openSUSE-SU-2025:20116-1"],"references":[{"type":"WEB","url":"https://launchpad.net/ubuntu/+source/rnp"},{"type":"WEB","url":"https://packages.gentoo.org/packages/dev-util/librnp"},{"type":"WEB","url":"https://access.redhat.com/security/cve/cve-2025-13402"},{"type":"WEB","url":"https://aur.archlinux.org/packages/rnp"},{"type":"WEB","url":"https://github.com/rnpgp/rnp/releases/tag/v0.18.1"},{"type":"ADVISORY","url":"https://open.ribose.com/advisories/ra-2025-11-20/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2415863"},{"type":"FIX","url":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rnpgp/rnp","events":[{"introduced":"0"},{"fixed":"7bd9a8dc356aae756b40755be76d36205b6b161a"}]},{"type":"GIT","repo":"https://github.com/rnpgp/rnp","events":[{"introduced":"0"},{"fixed":"aad1892e4d8423398a0b973bd0a7e4544c359afc"}]}],"versions":["v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.13.1","v0.14.0","v0.15.0","v0.15.1","v0.15.2","v0.16.0","v0.16.1","v0.16.2","v0.16.3","v0.17.0","v0.17.1","v0.18.0","v0.9.1","v0.9.2"],"database_specific":{"vanir_signatures_modified":"2026-04-12T19:53:21Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_start_aead","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"334572575323991751022169598505903864386","length":2731},"signature_type":"Function","id":"CVE-2025-13470-0a98045d"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_add_password_v5","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"290657140769169718664701902527016912585","length":1263},"signature_type":"Function","id":"CVE-2025-13470-243d9dff"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"init_encrypted_dst","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"139660214092104788887062027654082880736","length":3274},"signature_type":"Function","id":"CVE-2025-13470-26eb14b9"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_dst_finish","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"215392970274102627723257815810078238721","length":988},"signature_type":"Function","id":"CVE-2025-13470-3be9859f"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_add_password","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"38679954783669945354782881740662441887","length":601},"signature_type":"Function","id":"CVE-2025-13470-4409f631"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_start_cfb","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"157956384825293113905191577177184797679","length":1134},"signature_type":"Function","id":"CVE-2025-13470-5ab5390d"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_dst_close","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"112190713094663324569957111650972456451","length":337},"signature_type":"Function","id":"CVE-2025-13470-5d2e7685"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"line_hashes":["116363240060281475136867494909710164421","168918251817325214516864204879938397714","290830996141097746986431584586184751902","49638027243262153345810365080755955672","201383528598646824358171611942850877759","163911156278416785472165893839339454060","149201111913575435317609373362635837476","194946161046034464481211751455825646544","6378840425286330319250018310922629541","139345267043036095271963208209079050758","42628927958135572648310416298533321986","123525658837711219981599523973488318264","263857703748303504305448318511207217474","176084917567854671282604234187021203790","107431729603585797612411714882674911284","166924501037743242093145298648752134614","120851373450381594072044618869135274624","284796253137638855746668631054098773241","332933392540308746183241739787154661623","120908190255233490491624745324580652568","209178656013608791730348315020494280167","277237961123887433584839045199862222578","185954447022927644043673202754936331168","157867643279241071721903831846753043109","294400384197731501977064204204745786638","78939096944561531200841369451394459040","24566552519040797115090142161717287479","15546996465871056502415075895044808329","50000874894022809101211888984438256943","109015707609468486797133597894538395002","249394563004178903191023174396654394156","186108391031113425257464118919330923663","129224321015016595667109025299829246136","86427324277641690400927736789274903195","18105293222532024331505337081741446578","116878017189965765359572068890289000104","203887773585894174750478802653705196964","83584945039432347349809858111321796987","311843877892632310492350254118272839381","308650148516377801401598271108969828693","165564912760914546350577574880366656158","95799162837827107456952005547409058493","87523755505646424781965787753298871856","164233227868501821082050836930656998671","35949887212158057885862312020260994148","314587427204835170642771501376568475257","320957135794795324006497030527237869147","116094177451016929277018152718880144531","31809806463035881901491110774918439609","24478500452831810792432603365414697872","69780223424727825893463120127949395848","242212088774243419696169457261245666945","16330490571771389361148057103273407463","64604669837636331770938008784896102026","253009012006250371102834719544508469104","168510604315597173948861449341443947260","263734477194587725674247413026212870","169108328853110325641167910569832216458","255037872780404618831472363724978814791","155761435225886969125154742553344030161","69473570867883700482010106134529752090","76776978665875879905880706111890311562","158606075105351439214277571194848463411","126367180428838452116005188417821130405","231027501334043412185355014366229019811","253264405300166733375331828176072216446","94814634454539592128010386177463771547","163268689616354864653177910925936115829","80985856719997444662080731138678847556","246919260417377484061791342678909913603","24752278374011849182027943640849942287","218527999194016430853616457469763229010","16946141786359351045824497147584089886","178742187901807833730661771643098457842","317983266309073313965650583201342058988","107891296891594112537376268672124231876","18819769268031140170439138054515211674","196021425505131523422023836790297530264","45218975861367321591779887517936837082","309485831556368871917558699156421549049","220938663628243058456972884564579127560","206611562496164545492364288045115065656","81307306193703005751855881550869669089","130286233690792300636264951885767132033","248189926773386308309781974597598816875","17648382681612494630940672807048599050","121436683728621207050248402067020012110","245103879549990564082253175972149599713","56956962315453038776109143548725793717","173328899131054642926910914953123249648","158090087587945903004873710886656312922","180005176709017641459104980059005146837","144525619153921113295221573391922926856","136378025599107815382693693685757674486","307450655171539018763626408306607052445","29019997486179922318124857388115798778","57679712143663037465140520845980197503","253280228526063372753983762194203504111","261114359866665113276006565634973247477","65565220120349283334443599826238376283","159229738938020976728873472174970501192","312514313376134494699709941481040692900","225793452636337877384498723681763056186","192098775850779257755626337810534248819","240730911988380672798110032395374511411","179799836414875629496372115466847583397","223582645189956374563268592406603138389","80590430120188780829219741290470220553","235413527928341297743524945398321539352","328856678273842504694984422361143402885","117149078347141534519452402626111350546","152165800478456386217491881953709372888","239107420695744328848398173141537237988","47644404171400066487308562839449276863","316668605630384643601325125511647192535","300977749905261452033640753492415773552","189438513410859928698610883519821813846","142807515591260601703969938555691573255","179230879123885439858147319793692858696","3636921468633357330742563738578528943","277104685738158207851252108214472745810","178660415508254523478104659895993653501","320684803638106278978886676883109018899","279991755621699548116789776604257944911","133207477878178361215990009869627351566","150331730021539756907232093008988650650","69061206700419433040290901108939308902","243152149026994952504558994472552852788","53009526909354594243920789249532632313","70571903584337538176818748136324382885","32548199905411746650363711175905365693","19850716537909443724284701788788574416","331743679077493646667146324788458372726","260000205867383909776474492926921231464","303829862467931255609121211172367169887","206628262774684415704610827778363964002","29541549432131971458074417309592360600","251870698383787956341315634925321182681","187999780772806539717904057102660534936","188241688397544870279066075544224706192","189527916476383575609466796551816295781","284848521238549711051737603834933066937","133186110091876240718103732959489170894","83921484357989982721808811417377391770","263101455480392439571458430908238314727","329233105827242975568277351633089229149","280836504257275314340962162562481797518","320926536038565505218193719180546870787","269602340087322613003590008696540129087","180239066730679992079904954877733869081","39584717696278532879663843408362967451","271464898022306468493497681865168630888","5837079052712641855044293869985952719","31266539165134461048622216917980205672","141068375047250483033997547004990223269","321200643454801740563434844357064276699","252865275349474519621436801138816006097","85548023975701221586839345216107460773","306265128523540484262612570785891073665","144290121302206641461181499631027854317","260962232840219481409700869019483500031","239449006234697576025163604115154389462","335699683440229921863627557070232764513","60418659475049334970401649979767776736","246886529662957285973074699951086099174","183345819642224791689888672657443926835","241300481006115071632808264668593779251","148844328899115171838214717348762790131","97291835408891990907769380814653667636","34053424919611978155342741925946325214","19124324162997410074534474109639512968","113060459306347213952211176158655541843","267004474474049460232735829250223201274","233310103392662699911164629180879056884","296563449650444386092591193147404831962","294297134579052436036575947037895220859","104839479056505504392859494278001940791","294606208739869913006301627622967236172","227554174137768290579130734089437814465","32619221679946292981522201412775330864","217430653306655015565074641438775791694","83430721960770099582261911359963846830","337975164657052937936945408834006952527","303744430732721794966052655542513321797","35311312407731292067077826581968308429","90636172011275662204437088378384045182","113541900411131571921182296802168624398","206020124141744477007826804879901086552","275084046237580086905554520051412393676","187126446139765119363591676250838865342","115530887972715045515396293494745021031","264793007929031796475904968621922337605","100258030418519097011254205273811149900","202866911954654811835300307977231156055","293990703104612791610270278541607078526","335117864123800871532869273440355219856","73362729762934953173603965673386748184","126564845444872654368937104562507931726","240970169824828781161900689297767694788","82796992305522342924662975726749634379","156049290634990286702527177703090361832","75944430617867274331995415887739385396","301638312639556511008646649621010100894","316130962395959848152998718900359869120","97583880386616884819715941046742990291","217483335451015279863760707212457242586","224856884154299722392102897973100668571","321184205010060608957620693039913283329","187534147849966658823891873765687659040","125841339587041280704061213826340198926","223131957002246461769557294161070795100","339192981469714927891470436080150768165","274826729173868791812412860906434077759","124740294758055529610614601330655592598","100406986190474820319180675650347427086","232500517603828586620656881589640250733"],"threshold":0.9},"signature_type":"Line","id":"CVE-2025-13470-5fd7ed22"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_add_password_v4","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"12206648461359694837003066946706332726","length":759},"signature_type":"Function","id":"CVE-2025-13470-6111512d"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_add_recipient","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"151224583865298217483119165486463627375","length":2185},"signature_type":"Function","id":"CVE-2025-13470-7dffa9f8"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_dst_write_aead","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"185921578896620476784582518763990412632","length":1805},"signature_type":"Function","id":"CVE-2025-13470-918e89b8"},{"signature_version":"v1","source":"https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a","target":{"function":"encrypted_dst_write_cfb","file":"src/librepgp/stream-write.cpp"},"deprecated":false,"digest":{"function_hash":"147498955786073055931311859136498923196","length":705},"signature_type":"Function","id":"CVE-2025-13470-c467e471"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13470.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:H/U:Red"}]}