CMS Parsing Vulnerability in GnuPG Affects Multiple Versions
CVE-2026-57062

2.9LOW

Key Information:

Vendor: Gnupg
Status: Gnupg
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-57062?

The gpgsm component of GnuPG prior to version 2.5.21 contains a vulnerability in its handling of the Cryptographic Message Syntax (CMS) format specifically with the AES-GCM encryption method. The issue arises due to incorrect processing of the aes-ICVlen, where the expected value of 12 bytes is not enforced, allowing the acceptance of an incorrect size of 4 bytes. This flaw could potentially lead to security risks when handling encrypted messages, compromising the integrity of data encryption.

Affected Version(s)

GnuPG 0 <= 2.5.20

References

https://blog.calif.io/p/how-to-format-a-ciphertext

https://www.gnupg.org/download/

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 23, 2026

CVE-2026-57062 Data

JSON

Gnupg

What is CVE-2026-57062?

Affected Version(s)

References

CVSS V3.1

Timeline