CVE-2026-57062

LOW EPSS 1.5%

Published Jun 23, 20266d ago · Modified Jun 23, 20266d ago

2.9 CVSS 3.1

Low

Published Jun 23, 2026 6d ago

Last Modified Jun 23, 2026 6d ago

Description

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

CVSS Details

Base Score

2.9

Exploitability

1.4

Impact

1.4

Vector string

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector Local

Attack Complexity High

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

1.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-1284

References 2

blog.calif.io https://blog.calif.io/p/how-to-format-a-ciphertext
gnupg.org https://www.gnupg.org/download/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.