CVE-2026-24881

NameCVE-2026-24881
DescriptionIn GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg2 (PTS)bullseye2.2.27-2+deb11u2fixed
bullseye (security)2.2.27-2+deb11u3fixed
bookworm2.2.40-1.1+deb12u2fixed
trixie2.4.7-21+deb13u1fixed
forky, sid2.4.8-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupg2source(unstable)(not affected)

Notes

- gnupg2 <not-affected> (Vulnerable code not present)
https://dev.gnupg.org/T8044
Search for package or bug name: Reporting problems