CVE-2025-13470: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-13470 affects RNP version 0.18.0, where a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing. The vulnerability was discovered on November 7, 2025, by Johannes Roth from MTG AG, and was publicly disclosed on November 21, 2025. The issue affects only public key encryption (PKESK packets), while passphrase-based encryption (SKESK packets) remains unaffected (Ribose Advisory, NVD).

The vulnerability stems from a refactoring regression where the initialization logic inside encrypted_build_skesk() only randomized the key for the SKESK path and omitted it for the PKESK path. This was introduced in commit 7bd9a8dc356aae756b40755be76d36205b6b161a. The CVSS v3.1 base score is 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and CVSS v4.0 score is 7.7 (HIGH) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:Y/RE:H/U:Red (NVD).

Any data encrypted using public-key encryption in RNP version 0.18.0 can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality. The vulnerability affects standalone RNP 0.18.0 users and potentially some distribution-packaged Thunderbird installations that use system RNP 0.18.0 instead of the bundled version (Ribose Advisory).

The vulnerability has been fixed in RNP version 0.18.1. Users who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should consider re-encrypting that data with RNP 0.18.1 or 0.17.1 based on their security requirements and threat model. RNP versions 0.17.1 and earlier are not affected by this vulnerability (Ribose Advisory, GitHub Release).