CVE-2026-21895 — Vulnetix

CVE-2026-21895 PUBLISHED CVSS 2.700000047683716 LOW

The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.

EPSS 0.02% · 6.9th percentile

Risk Scores

CVSS v4.0

2.700000047683716

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

EPSS Score

0.02%

6.9th percentile

Affected Products

Vendor	Product	Versions
RustCrypto	RSA	< 0.9.10
rustcrypto	rsa	0
crates.io	rsa	0

Timeline

Jan 6, 2026 CVE Published
Jan 8, 2026 CVE Updated
Jan 8, 2026 PoC Published
Jan 9, 2026 EPSS Score
Jan 12, 2026 EPSS Score
Jan 15, 2026 EPSS Score
Jan 18, 2026 EPSS Score
Jan 21, 2026 EPSS Score
Jan 24, 2026 PoC Published
Jan 24, 2026 PoC Published
Jan 25, 2026 EPSS Score
Jan 28, 2026 EPSS Score

References

https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 url
https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7 url
https://nvd.nist.gov/vuln/detail/CVE-2026-21895 advisory
https://github.com/RustCrypto/RSA package

Open in Interactive Console →