{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-24881", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-01-27T18:36:56.490Z", "datePublished": "2026-01-27T18:36:56.727Z", "dateUpdated": "2026-01-27T20:08:54.449Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GnuPG", "vendor": "GnuPG", "versions": [{"lessThan": "2.5.17", "status": "affected", "version": "2.5.13", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-27T18:52:54.994Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/01/27/8"}, {"url": "https://dev.gnupg.org/T8044"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.5.13", "versionEndExcluding": "2.5.17"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:08:45.733664Z", "id": "CVE-2026-24881", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:08:54.449Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T20:08:45.733664Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:08:50.431Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GnuPG", "product": "GnuPG", "versions": [{"status": "affected", "version": "2.5.13", "lessThan": "2.5.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/01/27/8"}, {"url": "https://dev.gnupg.org/T8044"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.5.17", "versionStartIncluding": "2.5.13"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-27T18:52:54.994Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24881", "state": "PUBLISHED", "dateUpdated": "2026-01-27T20:08:54.449Z", "dateReserved": "2026-01-27T18:36:56.490Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-27T18:36:56.727Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:-:*:*:*", "matchCriteriaId": "B85633E2-C26B-4A9C-8277-84071984B915", "versionEndExcluding": "2.5.17", "versionStartIncluding": "2.5.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:gpg4win:gpg4win:*:*:*:*:*:*:*:*", "matchCriteriaId": "731095A1-2A2B-4441-B76D-CD78119D7E0E", "versionEndExcluding": "5.0.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution."}], "id": "CVE-2026-24881", "lastModified": "2026-02-12T18:15:38.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T19:16:16.517", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Product"], "url": "https://dev.gnupg.org/T8044"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/01/27/8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "GnuPG: GnuPG: Remote code execution and denial of service via crafted CMS EnvelopedData message", "id": "2433480", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433480"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-121", "details": ["A flaw was found in GnuPG. A remote attacker could exploit this vulnerability by sending a specially crafted Cryptographic Message Syntax (CMS) EnvelopedData message. This message, containing an oversized wrapped session key, can cause a stack-based buffer overflow in the gpg-agent component. Successful exploitation may lead to a denial of service and potentially remote code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24881", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-27T18:36:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24881\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24881\nhttps://dev.gnupg.org/T8044\nhttps://www.openwall.com/lists/oss-security/2026/01/27/8"], "statement": "IMPORTANT: A stack-based buffer overflow in the gpg-agent component of GnuPG can be triggered by a remote attacker sending a specially crafted Cryptographic Message Syntax (CMS) EnvelopedData message. This vulnerability could lead to a denial of service and potentially remote code execution on affected Red Hat products where gpg-agent processes such messages.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T01:59:16.807252+00:00", "value": {"mitigation_remediation": ["Upgrade GnuPG to version 2.5.17 or newer, which contains the fix for the CMS buffer overflow.", "For users of Gpg4win, install the latest Gpg4win package that bundles the updated GnuPG release.", "If an upgrade cannot be performed immediately, block or quarantine any incoming mails or CMS-EnvelopedData attachments until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution through stack overflow"}, "threat_synthesis": {"affected_systems": "GnuPG versions before 2.5.17, including the gpg4win bundle that incorporates this GnuPG library, are vulnerable. Any system that processes CMS EnvelopedData through gpg-agent without updating to a fixed release is exposed.", "description_and_impact": "A crafted CMS (S/MIME) EnvelopedData message with an oversized wrapped session key can cause a stack\u2011based buffer overflow in gpg-agent during PKDECRYPT handling with the kem=CMS option. The overflow can lead to denial of service by crashing the agent, and the associated memory corruption could allow an attacker to execute arbitrary code. This vulnerability is classified as a CWE\u2011121 stack-based buffer overflow.", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely to involve malicious S/MIME messages sent over email or other transport channels that the victim\u2019s system processes locally. An attacker can simply craft a sending file to trigger the overflow, resulting in a service crash or potential code execution."}}}}, "created": "2026-04-18T02:00:10.474654+00:00", "updated": "2026-04-18T02:00:10.474666+00:00", "vendors": []}