CVE-2026-24883

MEDIUM EPSS 35.7%
Published Jan 27, 20265mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 27, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
35.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 2

VendorProductVersionRange
gnupggnupg*≥2.5.13  –  <2.5.17
gpg4wingpg4win*≥5.0.0  –  <5.0.1

References 2

  • dev.gnupg.org https://dev.gnupg.org/T8049
    PatchProduct
  • openwall.com https://www.openwall.com/lists/oss-security/2026/01/27/8
    Mailing ListThird Party Advisory

Remediation