CVE Tools

gnupg

Security Productsoss-project

26

Cumulative CVEs

15

Monthly snapshots

#29

Peak rank

Top products

gnupg5 libgcrypt2

Latest CVEs

The 15 most recently published vulnerabilities affecting gnupg.

CVE-2026-41990Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.4.0Apr 23, 2026
CVE-2026-41989Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.6.7Apr 23, 2026
CVE-2026-24883In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).3.7Jan 27, 2026
CVE-2026-24882In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.8.4Jan 27, 2026
CVE-2026-24881In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handlin...8.1Jan 27, 2026
CVE-2025-68973In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and l...7.8Dec 28, 2025
CVE-2025-68972In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that sig...5.9Dec 27, 2025
CVE-2025-30258In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify ...2.7Mar 19, 2025
CVE-2022-3219GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.3.3Feb 23, 2023
CVE-2022-3515A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing spe...9.8Jan 12, 2023
CVE-2022-47629Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.9.8Dec 20, 2022
CVE-2022-34903GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forger...6.5Jul 1, 2022
CVE-2021-40528The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined ...5.9Sep 6, 2021
CVE-2021-33560Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen a...7.5Jun 8, 2021
CVE-2021-3345_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9...7.8Jan 29, 2021