CVE-2025-68972

NameCVE-2025-68972
DescriptionIn GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg2 (PTS)bullseye (security), bullseye2.2.27-2+deb11u2vulnerable
bookworm2.2.40-1.1+deb12u1vulnerable
trixie2.4.7-21vulnerable
forky, sid2.4.8-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupg2source(unstable)(unfixed)

Notes

https://gpg.fail/formfeed
Search for package or bug name: Reporting problems