GHSA-m6x2-4hhh-669j · Severity: low — CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS...
CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.
Conclusion & alert: CVE-2026-57062 is rated Low Risk (12.1/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.11%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-24 | — | 0.11% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.9 | 3.1 | LOW |
|
1.4 | 1.4 | [email protected] |
GHSA-m6x2-4hhh-669j · Severity: low — CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-57062 not yet assigned priority: Debian including 1 source packages (gnupg2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-57062 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2026-57062 |
suse
|
low | CVE-2026-57062 severity low: SUSE including 3 source package names (dirmngr, gpg2, gpg2-lang), 31 product×package rows across 15 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (15 product lines)): Known Not Affected 31. | https://www.suse.com/security/cve/CVE-2026-57062/ |
ubuntu
|
low | CVE-2026-57062 low priority: Ubuntu including 1 source packages (gnupg2), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, resolute, upstream, xenial): needs-triage 7, released 1. | https://ubuntu.com/security/CVE-2026-57062 |