CVE-2026-13757
ADVISORY - debianSummary
A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.
- p11-kit (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141184) [trixie] - p11-kit (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2494556 https://github.com/p11-glue/p11-kit/issues/767
EPSS Score: 0.0012 (0.021)
Common Weakness Enumeration (CWE)
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-13757
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-13757
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-