rpm package
almalinux/gnupg2
pkg:rpm/almalinux/gnupg2
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24882 | — | < 2.4.5-4.el10_1 | 2.4.5-4.el10_1 | Jan 27, 2026 | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | ||
| CVE-2025-68973 | — | < 2.4.5-3.el10_1 | 2.4.5-3.el10_1 | Dec 28, 2025 | In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.) | ||
| CVE-2022-34903 | — | < 2.2.20-3.el8_6 | 2.2.20-3.el8_6 | Jul 1, 2022 | GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. | ||
| CVE-2019-13050 | — | < 2.2.20-2.el8 | 2.2.20-2.el8 | Jun 29, 2019 | Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent |
- CVE-2026-24882Jan 27, 2026affected < 2.4.5-4.el10_1fixed 2.4.5-4.el10_1
In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.
- CVE-2025-68973Dec 28, 2025affected < 2.4.5-3.el10_1fixed 2.4.5-3.el10_1
In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)
- CVE-2022-34903Jul 1, 2022affected < 2.2.20-3.el8_6fixed 2.2.20-3.el8_6
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
- CVE-2019-13050Jun 29, 2019affected < 2.2.20-2.el8fixed 2.2.20-2.el8
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent