The vulnerability is a stack-based buffer overflow in the tpm2daemon component of GnuPG, triggered during processing of the PKDECRYPT command for TPM-backed RSA and ECC keys. The overflow allows an attacker to overwrite adjacent memory on the stack, leading to arbitrary code execution. If successful, the attacker could execute arbitrary instructions with the privileges of the tpm2daemon process, potentially compromising system integrity, confidentiality, and availability.

The flaw applies to GnuPG versions prior to 2.5.17, including any Linux or Windows deployments that use GPG4Win, which incorporates the same vulnerable GnuPG libraries. Systems that rely on TPM‑backed RSA or ECC keys and invoke the PKDECRYPT command are at risk. No specific sub‑commitment or patch level is mentioned in the CVE data; it is safe to assume all releases below 2.5.17 are affected.

The CVSS score of 8.4 indicates a high severity vulnerability. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild at this time. The vulnerability is not currently listed in the CISA KEV catalog. Because tpm2daemon runs with elevated privileges to manage TPM functions, the attack vector is inferred to be local or remote depending on how the PKDECRYPT command is invoked; a threat actor would need to drive the vulnerable command into the daemon, possibly through crafted input data or malicious key usage. Overall, the risk is high and the vulnerability should be addressed promptly.