PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13757 Red Hat CVE debrief

A flaw was found in p11-kit. The RPC message attribute parsing functions form a mutually-recursive call chain with no recursion depth limit when processing nested template attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request, causing stack exhaustion and crashing the p11-kit server process.

Vendor
Red Hat
Product
Red Hat Enterprise Linux 10
CVSS
MEDIUM 6.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-29
Original CVE updated
2026-07-08
Advisory published
2026-06-29
Advisory updated
2026-07-08

Who should care

Users of p11-kit, particularly those with untrusted local users, should assess the impact of this vulnerability on their systems, focusing on affected deployments, and apply mitigations or patches as available. This includes reviewing system configurations, monitoring for suspicious activity, and ensuring that compensating controls are in place for exposed systems.

Technical summary

The p11-kit library has a flaw in its RPC message attribute parsing functions. Specifically, the functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain without a recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. This can lead to stack exhaustion when an attacker sends a specially crafted request with deeply nested template attributes via the p11-kit RPC Unix domain socket.

Defensive priority

Medium

Recommended defensive actions

  • Apply patches or updates provided by the vendor as soon as they are available.
  • Implement compensating controls such as monitoring for suspicious activity on the p11-kit RPC Unix domain socket.
  • Restrict access to the p11-kit RPC Unix domain socket to trusted users only.
  • Consider using a firewall or other network controls to limit access to services that use p11-kit.
  • Review system configurations to ensure they are not vulnerable to exploitation.
  • Monitor for suspicious activity on the p11-kit RPC Unix domain socket.
  • Track exceptions and retest remediated assets to ensure the vulnerability is fully resolved.

Evidence notes

The CVE record was published on 2026-06-29T19:16:40.907Z and was last modified on 2026-07-08T03:34:36.150Z. The NVD entry is currently Analyzed. Vendor advisories and issue tracking information are available.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-29T19:16:40.907Z and has not been modified since then. The NVD entry is currently Analyzed.