We already have a note relevant to this in section 5.1:
Note that when an implementation forms several PKESKs with one
session key, forming a message that can be decrypted by several keys,
the implementation MUST make new PKCS-1 padding for each key.
This will ensure that the "m" value is different for each encryption key.
That will thwart the common modulus attack and some other possible
attacks.
Hal Finney
From: John Dlugosz
In "Applied Cryptography", page 472, Schneier warns against ever encrypting
the same plaintext with two keys having the same n (but different e).
Different public keys may indeed have a common n, either by chance, because
of an implementation that reuses a small set of n, or a deliberate attack.
The session key is encrypted to multiple public keys.
Looking at section 5.1 of RFC2440, it appears that only the MPI of the
RSA-encrypted value of m is used. I'm supposing that m is much smaller
than n, so the whole thing takes one "block" through RSA.
The other values put into m (the algorithm and the checksum) are the same,
too, so m will be identical in every public-key encrypted session key
packet.