VYPR

Gnupg

by Gnupg

Source repositories

CVEs (43)

  • CVE-2010-2547HigAug 5, 2010
    risk 0.53cvss 8.1epss 0.05

    Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled…

  • CVE-2018-12020HigJun 8, 2018
    risk 0.49cvss 7.5epss 0.09

    mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP…

  • CVE-2018-9234HigApr 4, 2018
    risk 0.49cvss 7.5epss 0.02

    GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.

  • CVE-2016-6313MedDec 13, 2016
    risk 0.35cvss 5.3epss 0.04

    The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.

  • CVE-2006-3746Jul 28, 2006
    risk 0.04cvss epss 0.07

    Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message.

  • CVE-2006-3082Jun 19, 2006
    risk 0.04cvss epss 0.07

    parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, allows remote attackers to cause a denial of service (gpg crash) and possibly overwrite memory via a message packet with a large length (long user ID string), which could lead to an integer overflow, as…

  • CVE-2007-1263Mar 6, 2007
    risk 0.03cvss epss 0.05

    GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.

  • CVE-2006-0455Feb 15, 2006
    risk 0.03cvss epss 0.01

    gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded. …

  • CVE-2003-0255May 27, 2003
    risk 0.01cvss epss 0.07

    The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.

  • CVE-2026-57062Jun 23, 2026
    risk 0.00cvss epss 0.00

    CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

  • CVE-2026-24883Jan 27, 2026
    risk 0.00cvss epss 0.00

    In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).

  • CVE-2026-24882Jan 27, 2026
    risk 0.00cvss epss 0.00

    In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

  • CVE-2026-24881Jan 27, 2026
    risk 0.00cvss epss 0.02

    In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also…

  • CVE-2025-68973Dec 28, 2025
    risk 0.00cvss epss 0.00

    In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

  • CVE-2025-68972Dec 27, 2025
    risk 0.00cvss epss 0.00

    In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor"…

  • CVE-2025-30258Mar 19, 2025
    risk 0.00cvss epss 0.00

    In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

  • CVE-2022-3219Feb 23, 2023
    risk 0.00cvss epss 0.00

    GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

  • CVE-2022-34903Jul 1, 2022
    risk 0.00cvss epss 0.03

    GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

  • CVE-2020-25125Sep 3, 2020
    risk 0.00cvss epss 0.01

    GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x…

  • CVE-2019-14855Mar 20, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

Page 1 of 3