CNNVD-202601-4465 Information

Jan 27, 2026 cve

CNNVD ID

CNNVD-202601-4465

CVE-2026-24881

CNNVD Published: 2026-01-27

Description (Chinese)

GNUPG是美国GNU社区的一套开源的加密软件，采用GNU通用公共许可证。该软件支持公钥、对称加密、散列等算法。 GnuPG 2.5.17之前版本存在安全漏洞，该漏洞源于特制的CMS EnvelopedData消息可能导致gpg-agent在处理PKDECRYPT–kem=CMS时发生基于栈的缓冲区溢出，可能导致拒绝服务或远程代码执行。

Description (English)

GNUPG is an open-source encryption software for the GNU community in the United States, using the GNU General Public Licence. The software supports algorithms such as public keys, symmetric encryption, hash. The previous version of GnuPG 2.5.17 had a security loophole, which originated from a specially designed CMS EnvelopedData message that could result in a gpg-agent spill of a cage-based buffer zone when dealing with PKDECRYPT-kem=CMS, which could lead to the denial of services or remote code execution.

Hazard Level

Medium

Vulnerability Type

其他

Affected Vendor

GNU

Published

2026-01-27

Last Modified

2026-02-24

References

https://dev.gnupg.org/T8044 https://www.openwall.com/lists/oss-security/2026/01/27/8

Patch

https://gnupg.org/

Share on: