CVE-2026-13757
ADVISORY - debianSummary
A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.
- p11-kit (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141184) [trixie] - p11-kit (Minor issue) https://bugzilla.redhat.com/show_bug.cgi?id=2494556 https://github.com/p11-glue/p11-kit/issues/767
EPSS Score: 0.0012 (0.021)
Common Weakness Enumeration (CWE)
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in