Plaintext Recovery Vulnerability in Libgcrypt Affects OpenPGP Implementations
CVE-2021-40528

5.9MEDIUM

Key Information:

Vendor: Gnupg
Status: Libgcrypt
Vendor: CVE Published:; 6 September 2021

What is CVE-2021-40528?

The ElGamal implementation in Libgcrypt prior to version 1.9.4 is susceptible to a vulnerability that allows plaintext recovery. During interactions between cryptographic libraries, a specific combination of parameters—including the prime and generator defined by the receiver's public key, as well as the sender's ephemeral exponents—can lead to a cross-configuration attack against OpenPGP. This can potentially expose sensitive plaintext data, compromising the integrity and confidentiality of cryptographic operations.

References

https://eprint.iacr.org/2021/923

https://ibm.github.io/system-security-research-updates/20...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2021
Vulnerability Reserved
Sep 6, 2021

CVE-2021-40528 Data

JSON

Gnupg

What is CVE-2021-40528?

References

CVSS V3.1

Timeline