CVE-2026-41989

NameCVE-2026-41989
DescriptionLibgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6294-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgcrypt20 (PTS)bullseye1.8.7-6fixed
bookworm1.10.1-3vulnerable
bookworm (security)1.10.1-3+deb12u1fixed
trixie1.11.0-7vulnerable
trixie (security)1.11.0-7+deb13u1fixed
forky, sid1.12.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgcrypt20sourcebullseye(not affected)
libgcrypt20sourcebookworm1.10.1-3+deb12u1DSA-6294-1
libgcrypt20sourcetrixie1.11.0-7+deb13u1DSA-6294-1
libgcrypt20source(unstable)1.12.2-1

Notes

[bullseye] - libgcrypt20 <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2026/04/21/1
https://dev.gnupg.org/T8211
Fixed by: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2d3d732c9bf87cc10729f69678dd9e6862f99fa3 (libgcrypt-1.12.2)
Introduced by: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=bbe15758c893dbf546416c1a6bccdad1ab000ad7 (libgcrypt-1.9.0)
Search for package or bug name: Reporting problems