CVE-2026-13757
A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.
CSIRTS triage
- What
- There is a stack exhaustion vulnerability due to unbounded recursion in RPC attribute parsing.
- Who is affected
- Deployments of p11-kit that utilize RPC attribute parsing are affected.
- Urgency
- Remediation is medium priority due to moderate severity and lack of known exploitation.
- Action
- Update to the latest version of p11-kit to mitigate this vulnerability.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-13757
Get an email if CVE-2026-13757 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.13% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 3% of all EPSS-scored CVEs.
Advisory coverage (2)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-13757)