rust-rpm-sequoia Vulnerability Lets Malicious RPM Files Trigger Denial-of-Service

A specially crafted RPM file is all it takes to crash signature verification in rust-rpm-sequoia, a Rust library used across Linux packaging toolchains to parse and validate RPM archives. The GitHub Advisory Database published the flaw on April 3 under identifier CVE-2026-2625, rating it moderate severity and disclosing a code path inside the library's signature verification logic that can be forced into a denial-of-service state by attacker-controlled input.

The mechanics are direct: anyone who can place a malicious RPM into a repository or package mirror can trigger the vulnerability the moment downstream tooling calls into rust-rpm-sequoia to verify the package's signature. That verification step is not optional in most packaging pipelines. It sits on the critical path for any tool that validates, ingests, or processes RPM archives, meaning an unpatched deployment exposes that path every time it touches untrusted package input.

Red Hat cataloged the issue in its own CVE and Bugzilla tracking systems within a day of the GitHub advisory going public, marking an April 3-4 public disclosure window. The coordination matters because rust-rpm-sequoia is not an isolated project: Linux distributions and their downstream tooling depend on it for routine RPM parsing, and a library-level bug propagates to every consumer that has not pinned a patched version.

The advisory is also a useful reminder that memory safety does not make parser bugs impossible. CVE-2026-2625 is a parsing and protocol-handling flaw, not a memory corruption issue, and it found its way into a codebase written in a language specifically chosen for safety guarantees. Supply-chain hygiene, particularly around pipelines that ingest external artifacts like RPMs and tarballs, remains a necessary discipline regardless of what language the parser is written in.

The immediate remediation path is straightforward: upgrade to the patched version of rust-rpm-sequoia as soon as it clears your distribution's update channel. Red Hat's Bugzilla entry includes remediation steps alongside the CVE record. For projects that cannot patch immediately, sandboxing untrusted archive parsing and tightening input validation on the code paths that call into the library are practical stopgaps. Maintainers responsible for distributions shipping rust-rpm-sequoia are expected to push coordinated updates through standard CVE policy channels, making the GitHub Advisory Database the fastest early-warning system available to Rust developers tracking crate-level vulnerabilities before they reach production pipelines.