Message Manipulation Vulnerability in GnuPG 2.4.8 by GnuPG
CVE-2025-68972

5.9MEDIUM

Key Information:

Vendor: Gnupg
Status: Gnupg
Vendor: CVE Published:; 27 December 2025

What is CVE-2025-68972?

In GnuPG version 2.4.8, a vulnerability exists that allows an adversary to exploit the format of signed messages. By incorporating a form feed character () at the end of a plaintext line, attackers can create a modified version of a signed message. This alteration can lead to successful signature verification, even though the integrity is compromised, as the verification process will return an 'invalid armor' error. This issue arises from the reliance on as a truncation marker in long plaintext lines, rendering the signature validation process susceptible to manipulation.

Affected Version(s)

GnuPG 0 <= 2.4.8

References

https://gpg.fail/formfeed

https://news.ycombinator.com/item?id=46404339

https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practi...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Dec 27, 2025

CVE-2025-68972 Data

JSON

Gnupg

What is CVE-2025-68972?

Affected Version(s)

References

CVSS V3.1

Timeline