Aggregates CVE and security vulnerability intelligence across all GnuPG-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk csrf and vendor risk file inclusion and related problems; some flaws may lead to vendor impact unauthorized access, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-57062 | CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182. | [email protected] | 2.9 | — | 2026-06-23 | 2026-06-23 |
| CVE-2026-41990 | Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data. | [email protected] | 4.0 | 0.18% | 2026-04-23 | 2026-06-17 |
| CVE-2026-41989 | Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt. | [email protected] | 6.7 | 0.18% | 2026-04-23 | 2026-06-17 |
| CVE-2026-24883 | In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash). | [email protected] | 3.7 | 0.45% | 2026-01-27 | 2026-06-17 |
| CVE-2026-24882 | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [email protected] | 8.4 | 0.39% | 2026-01-27 | 2026-06-17 |
| CVE-2026-24881 | In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution. | [email protected] | 8.1 | 1.98% | 2026-01-27 | 2026-06-17 |
| CVE-2025-68973 | In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.) | [email protected] | 7.8 | 0.13% | 2025-12-28 | 2026-06-17 |
| CVE-2025-68972 | In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line. | [email protected] | 5.9 | 0.10% | 2025-12-27 | 2026-06-17 |
| CVE-2025-30258 | In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS." | [email protected] | 2.7 | 0.17% | 2025-03-19 | 2026-06-17 |
| CVE-2022-3219 | GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. | [email protected] | 3.3 | 0.29% | 2023-02-23 | 2026-06-17 |
| CVE-2022-3515 | A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. | [email protected] | 9.8 | 1.64% | 2023-01-12 | 2026-06-17 |
| CVE-2022-47629 | Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. | [email protected] | 9.8 | 1.55% | 2022-12-20 | 2026-06-17 |
| CVE-2022-34903 | GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. | [email protected] | 6.5 | 2.11% | 2022-07-01 | 2026-06-17 |
| CVE-2021-40528 | The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. | [email protected] | 5.9 | 1.32% | 2021-09-06 | 2026-06-17 |
| CVE-2021-33560 | Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. | [email protected] | 7.5 | 2.34% | 2021-06-08 | 2026-06-16 |
| CVE-2021-3345 | _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later. | [email protected] | 7.8 | 1.06% | 2021-01-29 | 2026-06-17 |
| CVE-2020-25125 | GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version. | [email protected] | 7.8 | 1.28% | 2020-09-03 | 2026-06-16 |
| CVE-2019-14855 | A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. | [email protected] | 7.5 | 1.05% | 2020-03-20 | 2026-06-16 |
| CVE-2015-0837 | The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack." | [email protected] | 5.9 | 1.95% | 2019-11-29 | 2026-06-16 |
| CVE-2014-3591 | Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication. | [email protected] | 4.2 | 0.58% | 2019-11-29 | 2026-06-16 |