CVE-2026-24881 - Vulnerability Details

- GnuPG: GnuPG: Remote code execution and denial of service via crafted CMS EnvelopedData message

Description

In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.

Published: 2026-01-27

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A crafted CMS (S/MIME) EnvelopedData message with an oversized wrapped session key can cause a stack‑based buffer overflow in gpg-agent during PKDECRYPT handling with the kem=CMS option. The overflow can lead to denial of service by crashing the agent, and the associated memory corruption could allow an attacker to execute arbitrary code. This vulnerability is classified as a CWE‑121 stack-based buffer overflow.

Affected Systems

GnuPG versions before 2.5.17, including the gpg4win bundle that incorporates this GnuPG library, are vulnerable. Any system that processes CMS EnvelopedData through gpg-agent without updating to a fixed release is exposed.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely to involve malicious S/MIME messages sent over email or other transport channels that the victim’s system processes locally. An attacker can simply craft a sending file to trigger the overflow, resulting in a service crash or potential code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GnuPG

unaffected

Version	Status	Constraints
`2.5.13`	affected	< 2.5.17

Configuration 1 [-]

OR	cpe:2.3:a:gnupg:gnupg:::::-:::*
	cpe:2.3:a:gpg4win:gpg4win::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GnuPG to version 2.5.17 or newer, which contains the fix for the CMS buffer overflow.
For users of Gpg4win, install the latest Gpg4win package that bundles the updated GnuPG release.
If an upgrade cannot be performed immediately, block or quarantine any incoming mails or CMS-EnvelopedData attachments until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00205.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://dev.gnupg.org/T8044
https://nvd.nist.gov/vuln/detail/CVE-2026-24881
https://www.cve.org/CVERecord?id=CVE-2026-24881
https://www.openwall.com/lists/oss-security/2026/01/27/8

History

Thu, 12 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gpg4win Gpg4win gpg4win
CPEs		cpe:2.3:a:gnupg:gnupg:::::-:::* cpe:2.3:a:gpg4win:gpg4win::::::::
Vendors & Products		Gpg4win Gpg4win gpg4win

Wed, 28 Jan 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		GnuPG: GnuPG: Remote code execution and denial of service via crafted CMS EnvelopedData message
References		https://nvd.nist.gov/vuln/detail/CVE-2026-24881 https://www.cve.org/CVERecord?id=CVE-2026-24881
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 27 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 27 Jan 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.
First Time appeared		Gnupg Gnupg gnupg
Weaknesses		CWE-121
CPEs		cpe:2.3:a:gnupg:gnupg::::::::
Vendors & Products		Gnupg Gnupg gnupg
References		https://dev.gnupg.org/T8044 https://www.openwall.com/lists/oss-security/2026/01/27/8
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Gnupg Gnupg

Gpg4win Gpg4win

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-01-27T18:36:56.727Z

Updated: 2026-01-27T20:08:54.449Z

Reserved: 2026-01-27T18:36:56.490Z

Link: CVE-2026-24881

Vulnrichment

Updated: 2026-01-27T20:08:50.431Z

NVD

Status : Analyzed

Published: 2026-01-27T19:16:16.517

Modified: 2026-02-12T18:15:38.923

Link: CVE-2026-24881

Redhat

Severity : Important

Publid Date: 2026-01-27T18:36:56Z

Links: CVE-2026-24881 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses

CWE-121

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object