Denial of Service Vulnerability in GnuPG Affects Multiple Versions
CVE-2026-24883

3.7LOW

Key Information:

Vendor: Gnupg
Status: Gnupg
Vendor: CVE Published:; 27 January 2026

What is CVE-2026-24883?

In GnuPG versions prior to 2.5.17, a vulnerability exists where a long signature packet length causes the parse_signature function to succeed but results in a NULL value being returned in sig->data[]. This flaw can lead to severe instability in the application, potentially causing it to crash. Users are advised to update to the latest version to mitigate this issue.

Affected Version(s)

GnuPG 2.5.3 < 2.5.17

References

https://www.openwall.com/lists/oss-security/2026/01/27/8

https://dev.gnupg.org/T8049

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 27, 2026
Vulnerability Reserved
Jan 27, 2026

CVE-2026-24883 Data

JSON

Gnupg

What is CVE-2026-24883?

Affected Version(s)

References

CVSS V3.1

Timeline