Description
Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
Published: 2026-04-23
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Libgcrypt before version 1.12.2 performs a write to a static array without validating the bounds of the write. Because the data written is not supplied by an attacker, the flaw does not provide a direct remote code execution or information disclosure path. Nonetheless the out‑of‑bounds write can corrupt memory and cause the process to crash, which results in a denial of service for services relying on Libgcrypt for signature generation.

Affected Systems

The vulnerability affects the Libgcrypt library that is bundled with GnuPG. Any installation using Libgcrypt older than 1.12.2 is subject to the flaw.

Risk and Exploitability

The CVSS score of 4.0 reflects a low‑medium severity assessment, and the EPSS score of less than 1% indicates an extremely low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Because the memory corruption is triggered by static data that is not attacker‑controlled, it is unlikely that an attacker can reliably leverage the out‑of‑bounds write to achieve a purposeful outcome. The risk is therefore limited to potential local crashes, and the attack vector is inferred to be local or confined to the process using the library.

Generated by OpenCVE AI on April 28, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Libgcrypt to version 1.12.2 or later
  • Verify that all packages depending on Libgcrypt are updated so the vulnerable library is replaced
  • Restart any services or applications that use Libgcrypt to clear cached state and confirm stable operation

Generated by OpenCVE AI on April 28, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Libgcrypt: Libgcrypt: Denial of Service or data integrity issues from missing bounds check during Dilithium signing.
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
First Time appeared Gnupg
Gnupg libgcrypt
Weaknesses CWE-787
CPEs cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
Vendors & Products Gnupg
Gnupg libgcrypt
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Gnupg Libgcrypt
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T16:22:42.096Z

Reserved: 2026-04-23T04:39:04.114Z

Link: CVE-2026-41990

cve-icon Vulnrichment

Updated: 2026-04-23T15:58:31.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T05:16:05.897

Modified: 2026-04-27T18:33:27.050

Link: CVE-2026-41990

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-23T04:39:04Z

Links: CVE-2026-41990 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses