GnuPG 2.5.17 has been released to fix a possible RCE: * https://dev.gnupg.org/T8044 ("gpg-agent stack buffer overflow in pkdecrypt using KEM")
[Description for this one at the end, for the full quoted advisory.] There's two other security-relevant bugs too: * https://dev.gnupg.org/T8045 ("Stack-based buffer overflow in TPM2 `PKDECRYPT`") > A stack-based buffer overflow exists in GnuPG’s tpm2daemon when handling > the PKDECRYPT command for TPM-backed RSA and ECC keys. A local attacker > who can access the daemon’s Assuan socket can send an oversized ciphertext > and trigger memory corruption, resulting in a crash and potentially > arbitrary code execution. When a user stores private keys inside a TPM, > GnuPG runs a helper process called tpm2daemon to perform cryptographic > operations on their behalf. Other GnuPG components communicate with this > daemon over Assuan, a local IPC protocol. During a PKDECRYPT request, > tpm2daemon copies the attacker-supplied ciphertext into fixed-size TPM > work buffers without validating that the ciphertext fits. If the supplied > ciphertext is larger than the TPM buffer, the copy operation writes past > the end of the stack buffer and corrupts adjacent stack memory. This > affects both supported TPM decrypt paths: RSA (tpm2_rsa_decrypt) and ECC > (tpm2_ecc_decrypt). Because the overflow occurs on the stack and is > attacker-controlled, it is potentially exploitable for code execution > inside the tpm2daemon process. * https://dev.gnupg.org/T8049 ("Null pointer dereference with overlong signature packet") > Overlong signature packet length causes parse_signature to return > success with sig->data[] left NULL, leading to a crash in later > consumers. The advisory is at https://dev.gnupg.org/T7996#212268 (not yet on gnupg-announce ML). Quoting that, which discusses the main bug (T8044): > These versions are affected: > > GnuPG 2.5.16 (released 2025-12-30) > GnuPG 2.5.15 (released 2025-12-29) > GnuPG 2.5.14 (released 2025-11-19) > GnuPG 2.5.13 (released 2025-10-22) > Gpg4win 5.0.0 (released 2026-01-14) > Gpg4win 5.0.0-beta479 (released 2026-01-02) > Gpg4win 5.0.0-beta476 (released 2025-12-22) > Gpg4win 5.0.0-beta395 (released 2025-10-22) > > All other versions are not affected. > > A crafted CMS (S/MIME) EnvelopedData message carrying an oversized > wrapped session key can cause a stack buffer overflow in gpg-agent > during the PKDECRYPT--kem=CMS handling. This can easily be used for a > DoS but, worse, the memory corruption can very likley also be used to > mount a remote code execution attack. > > A CVE-id has not been assigned. We track this bug as T8044 under > https://dev.gnupg.org/T8044. This vulnerability was discovered by: > OpenAI Security Research. Their report was received on 2026-01-18; > fixed versions released 2026-01-27. > > Solution: > > If an affected GnuPG version is used please update ASAP to the new > version 2.5.17. > > If an affected version of Gpg4win is used please update ASAP to the new > version 5.0.1. > > If an immediate update is not possible please remove the gpgsm or > gpgsm.exe binary, this way the the bug can't be remotely triggered. sam
signature.asc
Description: PGP signature
