Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68973

CVE-2025-68973: GnuPG Buffer Overflow Vulnerability

CVE-2025-68973 is a buffer overflow vulnerability in GnuPG's armor_filter function that causes an out-of-bounds write with crafted input. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-68973 Overview

CVE-2025-68973 is an out-of-bounds write vulnerability in GnuPG versions prior to 2.4.9. The flaw resides in the armor_filter function in g10/armor.c, where an index variable is incremented twice instead of once during buffer copy operations. Crafted ASCII-armored input can trigger memory corruption when processed by the armor parser. The issue affects standard GnuPG releases before 2.4.9, while ExtendedLTS branches are patched in versions 2.2.51 and later. The vulnerability is tracked under [CWE-787] (Out-of-Bounds Write) and [CWE-675] (Multiple Operations on Resource in Single-Operation Context).

Critical Impact

Crafted ASCII-armored input processed by GnuPG can cause memory corruption, potentially leading to local code execution or denial of service in cryptographic workflows that parse untrusted armored data.

Affected Products

  • GnuPG versions before 2.4.9
  • GnuPG ExtendedLTS versions before 2.2.51
  • Linux distributions packaging vulnerable GnuPG releases (Debian LTS advisory issued)

Discovery Timeline

  • 2025-12-28 - CVE-2025-68973 published to NVD
  • 2025-12-29 - Public disclosure via Openwall oss-security mailing list
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-68973

Vulnerability Analysis

The vulnerability exists in the ASCII armor parser used by GnuPG to decode armored OpenPGP messages. The armor_filter function in g10/armor.c contains a loop that copies buffered data into an output buffer. The loop body increments the destination index n twice in a single iteration, once in the for statement and once in the assignment expression. This double increment causes the loop to write past the bounds of the destination buffer when the buffered input is larger than expected. Attackers who can supply crafted armored input to a GnuPG process can corrupt adjacent memory, with potential consequences including process crash or arbitrary code execution within the user context running GnuPG.

Root Cause

The root cause is a typographical defect [CWE-675] in the index update logic of the armor buffer copy loop. Both the loop iterator n++ and the post-increment in buf[n++] = afx->buffer[afx->buffer_pos++] advance n, causing the write to skip positions and overrun the allocated size boundary. This results in an out-of-bounds write [CWE-787] on the destination buffer.

Attack Vector

Exploitation requires a local attacker with low privileges to deliver crafted ASCII-armored OpenPGP input to a GnuPG instance. Triggering the flaw depends on specific buffer state conditions in the armor parser, which contributes to the high attack complexity. Successful exploitation impacts confidentiality, integrity, and availability of the affected process.

c
// Patch in g10/armor.c - removes the extra increment of n
	n = 0;
	if( afx->buffer_len ) {
            /* Copy the data from AFX->BUFFER to BUF.  */
-	    for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
-		buf[n++] = afx->buffer[afx->buffer_pos++];
+            for(; n < size && afx->buffer_pos < afx->buffer_len;)
+                buf[n++] = afx->buffer[afx->buffer_pos++];
	    if( afx->buffer_pos >= afx->buffer_len )
		afx->buffer_len = 0;
	}
// Source: https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9

The patch removes the redundant n++ from the for statement, leaving a single increment in the loop body. See the GnuPG security commit for full diff context.

Detection Methods for CVE-2025-68973

Indicators of Compromise

  • Unexpected GnuPG process crashes or segmentation faults when decoding ASCII-armored OpenPGP messages
  • Abnormal memory access violations in gpg or gpg2 processes during signature verification or decryption workflows
  • Receipt of suspicious armored OpenPGP files from untrusted sources, particularly automated mail or repository signing pipelines

Detection Strategies

  • Inventory installed GnuPG packages and compare against patched versions 2.4.9 and 2.2.51 to identify exposed systems
  • Audit automated workflows (CI/CD, package signing, mail filters) that process armored OpenPGP input from external sources
  • Monitor for core dumps or crash telemetry from gpg binaries across managed Linux endpoints

Monitoring Recommendations

  • Forward operating system crash logs and gpg process telemetry to a centralized log platform for correlation
  • Alert on repeated gpg invocations failing with abnormal exit codes on the same host within short time windows
  • Track inbound armored OpenPGP messages reaching servers that run automated GnuPG verification

How to Mitigate CVE-2025-68973

Immediate Actions Required

  • Upgrade GnuPG to version 2.4.9 or later, or to 2.2.51 or later for ExtendedLTS deployments
  • Apply distribution-provided security updates such as those announced in the Debian LTS advisory
  • Restrict automated GnuPG processing of armored input from untrusted sources until patches are deployed

Patch Information

The fix is committed in GnuPG upstream as commit 115d138 and shipped in releases 2.4.9 and 2.2.51. The change set is visible in the gnupg-2.2.50...gnupg-2.2.51 comparison. Additional technical context is available in the Openwall oss-security disclosure and the gpg.fail memcpy writeup.

Workarounds

  • Avoid passing armored OpenPGP files from untrusted senders to vulnerable gpg binaries
  • Run GnuPG operations inside sandboxed or containerized environments to limit blast radius of memory corruption
  • Disable or gate automated armor parsing in mail and CI pipelines until upgrades are confirmed
bash
# Verify the installed GnuPG version against the patched releases
gpg --version | head -n 1

# Debian/Ubuntu: apply distribution security updates
sudo apt-get update && sudo apt-get install --only-upgrade gnupg gnupg2 gpgv

# RHEL/Fedora: install vendor-provided patched package
sudo dnf upgrade gnupg2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.