Impact
CMS parsing in gpgsm accepts an AES‑GCM ciphertext that specifies an 4‑byte ICV length instead of the required 12 bytes, which bypasses integrity verification on the ciphertext. This input‑validation weakness (CWE‑1284) can allow an attacker to craft or modify ciphertext that will be processed by a vulnerable GnuPG installation, potentially enabling covert manipulation of encrypted data without detection.
Affected Systems
The affected software is the GnuPG project’s gpgsm component, versions 2.5.20 and earlier. Any system that processes CMS messages encrypted with AES‑GCM using these GnuPG releases is potentially impacted.
Risk and Exploitability
The CVSS score of 2.9 indicates a low severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, implying limited public exploitation. The likely attack vector is that an attacker who can supply crafted ciphertext to a vulnerable system—either locally or remotely—may exploit the issue. Given the low score and lack of exploitation evidence, the risk of widespread impact is considered minimal.
OpenCVE Enrichment