{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-24883", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-01-27T18:43:18.620Z", "datePublished": "2026-01-27T18:43:18.883Z", "dateUpdated": "2026-01-28T15:52:11.076Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GnuPG", "vendor": "GnuPG", "versions": [{"lessThan": "2.5.17", "status": "affected", "version": "2.5.3", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-28T15:52:11.076Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/01/27/8"}, {"url": "https://dev.gnupg.org/T8049"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.5.3", "versionEndExcluding": "2.5.17"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:02:25.525861Z", "id": "CVE-2026-24883", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:02:38.338Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T20:02:25.525861Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:02:29.427Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GnuPG", "product": "GnuPG", "versions": [{"status": "affected", "version": "2.5.3", "lessThan": "2.5.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/01/27/8"}, {"url": "https://dev.gnupg.org/T8049"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.5.17", "versionStartIncluding": "2.5.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-28T15:52:11.076Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24883", "state": "PUBLISHED", "dateUpdated": "2026-01-28T15:52:11.076Z", "dateReserved": "2026-01-27T18:43:18.620Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-27T18:43:18.883Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:-:*:*:*", "matchCriteriaId": "B85633E2-C26B-4A9C-8277-84071984B915", "versionEndExcluding": "2.5.17", "versionStartIncluding": "2.5.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:gpg4win:gpg4win:*:*:*:*:*:*:*:*", "matchCriteriaId": "731095A1-2A2B-4441-B76D-CD78119D7E0E", "versionEndExcluding": "5.0.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash)."}], "id": "CVE-2026-24883", "lastModified": "2026-02-06T18:06:07.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T19:16:16.823", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Product"], "url": "https://dev.gnupg.org/T8049"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/01/27/8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "GnuPG: GnuPG: Denial of service due to specially crafted signature packet", "id": "2433463", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433463"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in GnuPG. A remote attacker could provide a specially crafted long signature packet that, when processed, causes the application to crash. This vulnerability leads to a denial of service (DoS), making the GnuPG application unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24883", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-27T18:43:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24883\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24883\nhttps://dev.gnupg.org/T8049\nhttps://www.openwall.com/lists/oss-security/2026/01/27/8"], "statement": "This LOW impact vulnerability in GnuPG allows a remote attacker to trigger a denial of service. By processing a specially crafted long signature packet, the GnuPG application can crash, rendering it unavailable. This affects Red Hat Enterprise Linux and other products utilizing GnuPG.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T01:58:53.882843+00:00", "value": {"mitigation_remediation": ["Upgrade GnuPG to version 2.5.17 or later.", "If an immediate upgrade is not feasible, avoid processing untrusted signature packets by restricting source or using hardened verification processes.", "Monitor application logs for crashes or abnormal termination to detect potential exploitation attempts."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Vendor: GnuPG. Product: GnuPG. Versions affected are all releases prior to 2.5.17, including the libraries bundled in GPG4Win deployments.", "description_and_impact": "In GnuPG versions before 2.5.17 a crafted signature packet with an excessively long length can be parsed successfully while the internal data structure receives a NULL assignment. When subsequent operations access the data, the application crashes, causing a denial of service. The weakness is a NULL pointer dereference as identified by CWE\u2011476.", "risk_and_exploitability": "The CVSS score is 3.7, indicating a moderate impact level when the vulnerability is exercised. The EPSS score is below 1\u202f%, suggesting a very low probability of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker to provide an adversarial signature packet to a system running GnuPG, which then crashes the application. The attack vector is inferred from the nature of the bug; no public exploitation is reported."}}}}, "created": "2026-01-28T12:22:11.179991+00:00", "updated": "2026-04-18T02:00:10.473810+00:00", "vendors": ["gnupg", "gnupg$PRODUCT$gnupg"]}