[From nobody Sat Jul 11 14:21:06 2026
Received: (at submit) by bugs.debian.org; 30 Jun 2026 20:30:10 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-10.0 required=4.0 tests=BAYES_00,FROMDEVELOPER,
 NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 20; hammy, 149; neutral, 55; spammy,
 1. spammytokens:0.941-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--H*Ad:N*Bug, 0.000-+--H*Ad:N*Tracking
Return-path: &lt;carnil@debian.org&gt;
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;carnil@debian.org&gt;) id 1wef5s-00763z-22
 for submit@bugs.debian.org; Tue, 30 Jun 2026 20:30:09 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: p11-kit: CVE-2026-13757
Message-ID: &lt;178285140651.288282.7913227486793031852.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.2.0+nmu1
Date: Tue, 30 Jun 2026 22:30:06 +0200
Delivered-To: submit@bugs.debian.org

Source: p11-kit
Version: 0.26.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;

Hi Andreas,

The following vulnerability was published for p11-kit.

Sorry for the wague report.

CVE-2026-13757[0]:
| A flaw was found in p11-kit. The RPC message attribute parsing
| functions p11_rpc_message_get_attribute() and
| p11_rpc_message_get_attribute_array_value() form a mutually-
| recursive call chain with no recursion depth limit when processing
| nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and
| CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with
| local access to the p11-kit RPC Unix domain socket can send a
| specially crafted request with deeply nested template attributes,
| causing stack exhaustion and crashing the p11-kit server process and
| its dependent services.

TTBOMK, so far the only reference is actually the bugzilla entry form
Red Hat. Is upstream aware of the issue, or is there actually an
upstream tracking of it?


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-13757
    https://www.cve.org/CVERecord?id=CVE-2026-13757
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2494556

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
]