CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13757

mediumCVSS 6.2covered by 2 sourcesfirst seen 2026-06-09
A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.

CSIRTS triage

What
There is a stack exhaustion vulnerability due to unbounded recursion in RPC attribute parsing.
Who is affected
Deployments of p11-kit that utilize RPC attribute parsing are affected.
Urgency
Remediation is medium priority due to moderate severity and lack of known exploitation.
Action
Update to the latest version of p11-kit to mitigate this vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-13757

Get an email if CVE-2026-13757 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-13757

CVE.org record

Embed the live status

CVE-2026-13757 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13757 status](https://www.csirts.com/badge/CVE-2026-13757)](https://www.csirts.com/cve/CVE-2026-13757)