vulnerability
Arch Linux: Authentication bypass (CVE-2018-16151)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Sep 26, 2018 | Jul 11, 2025 | Dec 4, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Sep 26, 2018
Added
Jul 11, 2025
Modified
Dec 4, 2025
Description
The OID parser allows any number of random bytes after a valid OID for a PKCS#1.5 signature. The asn1_known_oid() function just parses until it finds a leaf in the tree of known OIDs, any further data that follows is simply ignored. And the function that parses ASN.1 algorithmIdentifier structures doesn't care if the full OID data was parsed as it usually doesn't really matter. A missing check to reject junk and random key parameters allows attackers to carry out a Bleichenbacher-style attack on low-exponent keys and create forged signatures.
Solution
arch-linux-upgrade-latest
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.