CVE-2026-24883 – This vulnerability in GnuPG allows an attacker ... (How to Fix)

Q: What is the severity of CVE-2026-24883?

CVE-2026-24883 has a CVSS score of 3.7 (LOW). This vulnerability in GnuPG allows an attacker to crash the application by sending a specially crafted signature packet with an excessive length. When parsed, this causes a NULL pointer dereference, resulting in denial of service. Anyone using vulnerable versions of GnuPG for encryption, decryption, or signature verification is affected.

📋 TL;DR

This vulnerability in GnuPG allows an attacker to crash the application by sending a specially crafted signature packet with an excessive length. When parsed, this causes a NULL pointer dereference, resulting in denial of service. Anyone using vulnerable versions of GnuPG for encryption, decryption, or signature verification is affected.

💻 Affected Systems

Products:

GnuPG (GPG)

Versions: All versions before 2.5.17

Operating Systems: Linux, Unix-like systems, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or service that uses GnuPG libraries or command-line tools for signature verification is vulnerable when processing malicious signatures.

📦 What is this software?

Gnupg by Gnupg

View all CVEs affecting Gnupg →

Gpg4win by Gpg4win

View all CVEs affecting Gpg4win →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for GnuPG-dependent applications, potentially disrupting encryption/decryption workflows, automated signing processes, or email security operations.

🟠

Likely Case

Application crash when processing malicious signatures, requiring manual restart of affected services or processes.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in calling applications, though GnuPG itself would still crash.

🌐 Internet-Facing: MEDIUM - Exploitation requires the attacker to provide a malicious signature to the GnuPG process, which could occur through email, file uploads, or API calls.

🏢 Internal Only: LOW - Requires an attacker with access to provide malicious input to GnuPG processes, typically through compromised systems or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to provide a malicious signature to GnuPG, which could be achieved through various vectors including malicious files, emails, or API inputs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.17 and later

Vendor Advisory: https://dev.gnupg.org/T8049

Restart Required: Yes

Instructions:

1. Download GnuPG 2.5.17 or later from https://gnupg.org/download. 2. Follow installation instructions for your platform. 3. Restart any services or applications using GnuPG.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement input validation in applications calling GnuPG to reject suspicious signature packets before passing to GnuPG.

🧯 If You Can't Patch

Implement strict input validation in all applications that call GnuPG to filter potentially malicious signatures.
Monitor GnuPG processes for crashes and implement automatic restart mechanisms for critical services.

🔍 How to Verify

Check if Vulnerable:

Run 'gpg --version' and check if version is below 2.5.17.

Check Version:

gpg --version | head -1

Verify Fix Applied:

After updating, run 'gpg --version' to confirm version is 2.5.17 or higher.

📡 Detection & Monitoring

Log Indicators:

GnuPG process crashes with segmentation fault or NULL pointer errors
Application logs showing failed signature verification followed by service termination

Network Indicators:

Unusual patterns of signature verification requests followed by service disruption

SIEM Query:

process_name:"gpg" AND (event_type:"crash" OR error:"segmentation fault" OR error:"NULL pointer")

📊 Metadata

CVE ID: CVE-2026-24883

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-476

EPSS Score: 0.01% exploit probability (1.3th percentile)

Published: January 27, 2026

Last Updated: February 6, 2026

🔗 References

https://dev.gnupg.org/T8049 Patch,Product
https://www.openwall.com/lists/oss-security/2026/01/27/8 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24883, you might also want to check these: