Stack exhaustion via unbounded recursion in RPC attribute parsing
Summary
Stack exhaustion via unbounded recursion in RPC attribute parsing. Red Hat rates this moderate (CVSS 6.2). Weakness: CWE-674. Red Hat lists fixing advisory RHSA-2026:38342 with package p11-kit-main-0.26.2-1.2.hum1, p11-kit-main-0.26.4-1.hum1.
- p11-kit-main-0.26.2-1.2.hum1
- p11-kit-main-0.26.4-1.hum1
- RHSA-2026:38342
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Mitigation checklist
- This CVE requires same-user access to the p11-kit RPC Unix domain socket (/run/user/<uid>/p11-kit/pkcs11-*). Any process running as the socket-owning user can trigger the crash without further authentication. If p11-kit is managed via systemd --user, ensure `Restart=on-failure` is set in the unit file so that a crash is automatically recovered without manual intervention. Red Hat recommends updating p11-kit to version 0.26.3 or later, which introduces a recursion depth limit in the RPC attribute parsing and fully addresses this flaw.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.