Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24881

CVE-2026-24881: GnuPG Buffer Overflow Vulnerability

CVE-2026-24881 is a stack-based buffer overflow in GnuPG affecting versions before 2.5.17. Attackers can exploit crafted CMS messages to cause denial of service or achieve remote code execution. This post covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-24881 Overview

A stack-based buffer overflow vulnerability exists in GnuPG versions prior to 2.5.17. The vulnerability occurs when gpg-agent processes a specially crafted CMS (S/MIME) EnvelopedData message containing an oversized wrapped session key during PKDECRYPT--kem=CMS handling. Successful exploitation can result in denial of service and potentially remote code execution due to memory corruption.

Critical Impact

This vulnerability allows remote attackers to trigger a stack-based buffer overflow through malicious S/MIME messages, potentially leading to denial of service or arbitrary code execution on systems running vulnerable GnuPG versions.

Affected Products

  • GnuPG versions prior to 2.5.17
  • Systems using gpg-agent for S/MIME (CMS) message decryption
  • Applications relying on GnuPG for cryptographic operations involving CMS EnvelopedData

Discovery Timeline

  • 2026-01-27 - CVE-2026-24881 published to NVD
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-24881

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). The flaw resides in the gpg-agent component, which handles cryptographic agent operations for GnuPG. When processing CMS (Cryptographic Message Syntax) EnvelopedData messages used in S/MIME encryption, the agent fails to properly validate the size of wrapped session keys before copying them to a stack-allocated buffer.

The attack requires no authentication and can be triggered remotely through the network, though it requires certain conditions to be met for successful exploitation, making it moderately complex to exploit reliably. The vulnerability affects the confidentiality, integrity, and availability of affected systems.

Root Cause

The root cause is improper bounds checking in the PKDECRYPT--kem=CMS handling code path within gpg-agent. When a CMS EnvelopedData message is received with a wrapped session key that exceeds the expected size, the code copies the oversized data into a fixed-size stack buffer without adequate validation. This leads to a classic stack-based buffer overflow condition where adjacent stack memory, including return addresses and saved registers, can be overwritten.

Attack Vector

The vulnerability can be exploited remotely over the network by sending a maliciously crafted S/MIME message to a target system. The attack flow involves:

  1. An attacker crafts a CMS EnvelopedData message with an abnormally large wrapped session key
  2. The victim's email client or application processes the S/MIME message using GnuPG
  3. The gpg-agent process attempts to decrypt the message via the PKDECRYPT--kem=CMS code path
  4. The oversized session key overflows the stack buffer, corrupting adjacent memory
  5. Depending on the attacker's payload, this results in denial of service or potentially arbitrary code execution

The vulnerability can be triggered through any application that uses GnuPG for S/MIME message processing, including email clients configured to decrypt encrypted messages automatically. For more technical details, refer to the GnuPG Task T8044 and the Openwall OSS Security Discussion.

Detection Methods for CVE-2026-24881

Indicators of Compromise

  • Unexpected crashes or termination of gpg-agent processes
  • Core dumps or crash reports from gpg-agent indicating stack corruption
  • Suspicious S/MIME encrypted messages with abnormally large encrypted content
  • Anomalous memory access patterns in GnuPG-related processes

Detection Strategies

  • Monitor for repeated gpg-agent process crashes or restarts that may indicate exploitation attempts
  • Implement email gateway filtering to inspect S/MIME message structures for anomalous wrapped key sizes
  • Deploy endpoint detection solutions to identify stack buffer overflow exploitation patterns
  • Use application crash monitoring to detect abnormal gpg-agent terminations

Monitoring Recommendations

  • Enable verbose logging for gpg-agent to capture detailed operation logs
  • Configure system audit logging to track gpg-agent process execution and termination events
  • Implement network traffic analysis to identify potentially malicious S/MIME message patterns
  • Monitor for unusual memory allocation patterns in cryptographic processing pipelines

How to Mitigate CVE-2026-24881

Immediate Actions Required

  • Upgrade GnuPG to version 2.5.17 or later immediately
  • Restrict processing of S/MIME messages from untrusted sources until patching is complete
  • Consider temporarily disabling automatic S/MIME message decryption in email clients
  • Implement network-level filtering for suspicious S/MIME content at email gateways

Patch Information

GnuPG has addressed this vulnerability in version 2.5.17. Administrators should update their GnuPG installations to this version or later. Detailed information about the fix is available in the GnuPG Task T8044. For environments where immediate upgrading is not feasible, review the workarounds section below for interim protective measures.

Workarounds

  • Disable S/MIME (CMS) processing in gpg-agent if not required for business operations
  • Configure email clients to not automatically decrypt S/MIME messages, requiring manual decryption for reviewed messages only
  • Implement email filtering rules to quarantine S/MIME encrypted messages for manual review
  • Use application sandboxing or containerization to limit the impact of potential exploitation
bash
# Verify GnuPG version to confirm patch status
gpg --version

# If version is below 2.5.17, update GnuPG
# On Debian/Ubuntu systems:
sudo apt update && sudo apt install gnupg

# On RHEL/CentOS systems:
sudo dnf update gnupg2

# On macOS with Homebrew:
brew upgrade gnupg

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.