CVE-2026-57062

Published: June 25, 2026Last modified: July 6, 2026

Description

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

Severity score breakdown

ParameterValue
Base score2.9
Attack VectorLOCAL
Attack complexityHIGH
Privileges requiredNONE
User interactionNONE
ScopeUNCHANGED
ConfidentialityNONE
Integrity impactLOW
Availability impactNONE
VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSgnupgFixed (2.2.40-r2)
25 LTSgnupgFixed (2.4.9-r1)
StreamgnupgFixed (2.4.9-r2)

References

ON THIS PAGE