Heap-Based Buffer Overflow in Libgcrypt May Affect ECDH Ciphertext Processing
CVE-2026-41989

6.7MEDIUM

Key Information:

Vendor: Gnupg
Status: Libgcrypt
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41989?

A flaw in Libgcrypt versions prior to 1.12.2 allows an attacker to exploit a heap-based buffer overflow when processing crafted ECDH ciphertext during decryption. This vulnerability can potentially lead to a denial of service, allowing malicious data to disrupt the cryptographic operations of applications reliant on the library. Users are advised to upgrade to the latest version to secure against these risks.

Affected Version(s)

Libgcrypt 1.8.8 < 1.10.4

Libgcrypt 1.11.0 < 1.11.3

Libgcrypt 1.12.0 < 1.12.2

References

https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/0...

https://dev.gnupg.org/T8211

https://www.openwall.com/lists/oss-security/2026/04/21/1

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-41989 Data

JSON

Gnupg

What is CVE-2026-41989?

Affected Version(s)

References

CVSS V3.1

Timeline