1. Forum
  2. MicroNet
  3. MIN COMP

  • A critical GnuPG security update

    From LWN.net@618:250/24 to All on Sun Feb 1 06:40:09 2026
    There is a new GnuPG update for a "critical security bug" in recent
    GnuPG releases.

    A crafted CMS (S/MIME) EnvelopedData message carrying an oversized
    wrapped session key can cause a stack buffer overflow in gpg-agent
    during the PKDECRYPT--kem=CMS handling. This can easily be used
    for a DoS but, worse, the memory corruption can very likley also be
    used to mount a remote code execution attack. The bug was
    introduced while changing an internal API to the FIPS required KEM
    API.

    Only versions 2.5.13 through 2.5.16 are affected.

    https://lwn.net/Articles/1056209/
    --- SBBSecho 3.34-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)