The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.08032.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Debian
  • Debian Linux
Gnupg
  • Gnupg
Opensuse
  • Opensuse

Configuration 1 [-]

OR cpe:2.3:a:gnupg:gnupg:2.0:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.10:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.12:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.13:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.14:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.15:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.16:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.17:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.18:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.19:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.20:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.21:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.22:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.23:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.0.7:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.4:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.90:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.91:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.92:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.3.93:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.10:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.11:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.12:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.13:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.14:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.15:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

No data.

No data.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-51-1 gnupg2 security update
Debian DSA Debian DSA DSA-2967-1 gnupg security update
Debian DSA Debian DSA DSA-2968-1 gnupg2 security update
EUVD EUVD EUVD-2014-4543 The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
Ubuntu USN Ubuntu USN USN-2258-1 GnuPG vulnerability
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=014b2103fcb12f261135e3954f26e9e07b39e342 cve-icon cve-icon
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a cve-icon cve-icon
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html cve-icon cve-icon
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2014-07/msg00010.html cve-icon cve-icon
http://secunia.com/advisories/59213 cve-icon cve-icon
http://secunia.com/advisories/59351 cve-icon cve-icon
http://secunia.com/advisories/59534 cve-icon cve-icon
http://secunia.com/advisories/59578 cve-icon cve-icon
http://www.debian.org/security/2014/dsa-2967 cve-icon cve-icon
http://www.debian.org/security/2014/dsa-2968 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2258-1 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2014-4617 cve-icon
https://www.cve.org/CVERecord?id=CVE-2014-4617 cve-icon
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.07597}

 epss

{'score': 0.08032}
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-06T11:20:26.664Z

Reserved: 2014-06-24T00:00:00

Link: CVE-2014-4617

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2014-06-25T11:19:22.637

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-4617

cve-icon Redhat

Severity : Moderate

Publid Date: 2014-06-20T00:00:00Z

Links: CVE-2014-4617 - Bugzilla

cve-icon OpenCVE Enrichment

No data.