CVE-2026-21895 Overview
The rsa crate, a pure Rust implementation of the RSA cryptographic algorithm, contains a vulnerability in the RSA private key construction routine. Prior to version 0.9.10, when creating an RSA private key from its components, the implementation panics instead of returning an error when one of the primes is 1. This improper error handling condition (CWE-703) can lead to denial of service when applications process malformed or malicious key material.
Critical Impact
Applications using vulnerable versions of the Rust rsa crate may crash unexpectedly when processing RSA private keys containing a prime value of 1, leading to denial of service conditions.
Affected Products
- Rust rsa crate versions prior to 0.9.10
- Applications and libraries depending on vulnerable rsa crate versions
- RustCrypto RSA implementations using num-bigint-dig prior to version 0.8.6
Discovery Timeline
- 2026-01-08 - CVE-2026-21895 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21895
Vulnerability Analysis
This vulnerability represents an improper handling of exceptional conditions (CWE-703) within the Rust rsa crate's private key construction logic. When an application attempts to create an RSA private key from component values, the code path does not properly validate that the prime factors are valid values. Specifically, if one of the prime values equals 1, the implementation triggers a panic rather than returning a controlled error that calling code can handle gracefully.
In Rust, a panic typically causes the current thread to unwind and terminate, which can crash the entire application if not caught at a higher level. This behavior is particularly problematic in server applications or cryptographic services that may process key material from untrusted sources.
Root Cause
The root cause is insufficient input validation in the RSA private key construction function. The code assumes that prime values will always be mathematically valid (greater than 1), but does not enforce this constraint before proceeding with operations that cannot handle the edge case. When a prime equals 1, subsequent mathematical operations produce unexpected results that trigger a panic condition.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting malformed RSA key material with a prime value set to 1
- Submitting this key data to an application that uses the vulnerable rsa crate
- The application attempts to construct an RsaPrivateKey from the components
- The validation failure causes a panic, crashing the application thread or process
The fix in version 0.9.10 updates the dependency on num-bigint-dig and adds proper validation:
rust-version = "1.65"
[dependencies]
-num-bigint = { version = "0.8.2", features = ["i128", "prime", "zeroize"], default-features = false, package = "num-bigint-dig" }
+num-bigint = { version = "0.8.6", features = ["i128", "prime", "zeroize"], default-features = false, package = "num-bigint-dig" }
num-traits = { version= "0.2.9", default-features = false, features = ["libm"] }
num-integer = { version = "0.1.39", default-features = false }
rand_core = { version = "0.6.4", default-features = false }
Source: GitHub Commit Update
Detection Methods for CVE-2026-21895
Indicators of Compromise
- Application crashes with Rust panic stack traces referencing RSA key construction
- Log entries showing thread panics in cryptographic modules handling key material
- Unexpected process terminations in services processing RSA private keys
Detection Strategies
- Review Cargo.lock files for rsa crate versions below 0.9.10
- Use cargo audit to scan Rust projects for known vulnerable dependencies
- Monitor application logs for panic messages related to RSA operations
- Implement crash monitoring for services that process cryptographic key material
Monitoring Recommendations
- Enable panic logging and alerting in production Rust applications
- Monitor service availability and restart frequency for cryptographic services
- Set up dependency scanning in CI/CD pipelines to detect vulnerable crate versions
- Review incoming key material for anomalous prime values in security-critical applications
How to Mitigate CVE-2026-21895
Immediate Actions Required
- Upgrade the rsa crate to version 0.9.10 or later immediately
- Run cargo update -p rsa to update the dependency in your project
- Review and test applications that process RSA keys from external sources
- Consider implementing input validation before passing key components to the RSA library
Patch Information
The vulnerability is fixed in rsa crate version 0.9.10. The fix ensures proper error handling when invalid prime values are encountered during RSA private key construction. The patch updates the num-bigint-dig dependency from version 0.8.2 to 0.8.6 and adds validation logic to return an error instead of panicking. For complete technical details, see the GitHub Security Advisory GHSA-9c48-w39g-hm26 and the fix commit.
Workarounds
- Implement input validation to verify prime values are greater than 1 before passing to RSA functions
- Use std::panic::catch_unwind to catch panics in cryptographic code paths (not recommended for production)
- Isolate RSA key processing in separate threads or processes to limit crash impact
- Consider using alternative RSA implementations while upgrading
# Update the rsa crate to the fixed version
cargo update -p rsa
# Verify the installed version
cargo tree -p rsa
# Audit dependencies for known vulnerabilities
cargo audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
