Verification Denial of Service Vulnerability in GnuPG from GnuPG Development
CVE-2025-30258

2.7LOW

Key Information:

Vendor: Gnupg
Status: Gnupg
Vendor: CVE Published:; 19 March 2025

What is CVE-2025-30258?

In earlier versions of GnuPG, prior to 2.5.5, a vulnerability was identified whereby importing a specially crafted certificate containing malformed subkey data could lead to a denial of service in signature verification. This occurs when the certificate lacks a valid backsignature or has incorrect usage flags, resulting in users being unable to verify signatures from certain signing keys. This issue can significantly hinder the functionality of cryptographic operations reliant on GnuPG.

Affected Version(s)

GnuPG 0 < 2.5.5

References

https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/0...

https://dev.gnupg.org/T7527

https://dev.gnupg.org/rG48978ccb4e20866472ef18436a3274435...

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2025
Vulnerability Reserved
Mar 19, 2025

CVE-2025-30258 Data

JSON

Gnupg

What is CVE-2025-30258?

Affected Version(s)

References

CVSS V3.1

Timeline