CVE-2026-24882 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2026-24882?

CVE-2026-24882 has a CVSS score of 8.4 (HIGH). A stack-based buffer overflow vulnerability in GnuPG's tpm2daemon component allows attackers to execute arbitrary code or cause denial of service when processing PKDECRYPT commands for TPM-backed keys. This affects systems using GnuPG with TPM 2.0 hardware security modules for RSA/ECC key operations. The vulnerability is particularly dangerous in environments where GnuPG handles sensitive cryptographic operations.

📋 TL;DR

A stack-based buffer overflow vulnerability in GnuPG's tpm2daemon component allows attackers to execute arbitrary code or cause denial of service when processing PKDECRYPT commands for TPM-backed keys. This affects systems using GnuPG with TPM 2.0 hardware security modules for RSA/ECC key operations. The vulnerability is particularly dangerous in environments where GnuPG handles sensitive cryptographic operations.

💻 Affected Systems

Products:

GnuPG (GPG)
gnupg2

Versions: All versions before 2.5.17

Operating Systems: Linux, Unix-like systems, Windows (if using affected GnuPG versions)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when tpm2daemon is running and TPM 2.0-backed RSA/ECC keys are being used. Systems without TPM hardware or not using TPM-backed keys are not affected.

📦 What is this software?

Gnupg by Gnupg

View all CVEs affecting Gnupg →

Gpg4win by Gpg4win

View all CVEs affecting Gpg4win →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the tpm2daemon process (often root), potentially leading to complete system compromise, TPM key exfiltration, and lateral movement.

🟠

Likely Case

Denial of service through daemon crashes, with potential for limited code execution in constrained environments where exploit conditions are met.

🟢

If Mitigated

Minimal impact if tpm2daemon is not running, TPM-backed keys are not used, or proper network segmentation isolates vulnerable systems.

🌐 Internet-Facing: MEDIUM - While tpm2daemon typically listens locally, exposed services using GnuPG with TPM integration could be vulnerable if network access is misconfigured.

🏢 Internal Only: HIGH - Internal systems using GnuPG with TPM 2.0 for cryptographic operations are directly vulnerable to authenticated or local attackers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending malformed PKDECRYPT commands to the tpm2daemon, which typically requires local or authenticated access. The buffer overflow is in a specific command handler, making exploitation more targeted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.17 and later

Vendor Advisory: https://dev.gnupg.org/T8045

Restart Required: Yes

Instructions:

1. Backup existing GnuPG configuration and keys. 2. Download GnuPG 2.5.17 or later from https://gnupg.org/download/. 3. Follow standard build/install procedures for your distribution. 4. Restart tpm2daemon and any dependent services.

🔧 Temporary Workarounds

Disable tpm2daemon

linux

Stop and disable the tpm2daemon service if TPM-backed keys are not required

sudo systemctl stop tpm2daemon
sudo systemctl disable tpm2daemon

Network isolation

linux

Ensure tpm2daemon socket is only accessible locally and not exposed to network

sudo netstat -tlnp | grep tpm2daemon
Verify only local sockets (127.0.0.1 or ::1) are listed

🧯 If You Can't Patch

Disable use of TPM-backed keys and switch to software-only keys
Implement strict access controls to limit who can communicate with tpm2daemon socket

🔍 How to Verify

Check if Vulnerable:

Check GnuPG version and if tpm2daemon is running: 'gpg --version | head -1' and 'systemctl status tpm2daemon'

Check Version:

gpg --version | head -1

Verify Fix Applied:

Verify version is 2.5.17 or later: 'gpg --version | head -1' should show '2.5.17' or higher

📡 Detection & Monitoring

Log Indicators:

tpm2daemon crash logs in systemd journal
Abnormal PKDECRYPT command patterns in GnuPG logs
Core dumps from tpm2daemon process

Network Indicators:

Unexpected connections to tpm2daemon socket (default: /run/user/<uid>/gnupg/S.tpm2daemon)
Network traffic to local TPM-related ports

SIEM Query:

process_name:"tpm2daemon" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2026-24882

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

EPSS Score: 0.01% exploit probability (0.3th percentile)

Published: January 27, 2026

Last Updated: February 6, 2026

🔗 References

https://dev.gnupg.org/T8045 Exploit,Product
https://www.openwall.com/lists/oss-security/2026/01/27/8 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24882, you might also want to check these: