Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57062

CVE-2026-57062: GnuPG gpgsm CMS Parsing Vulnerability

CVE-2026-57062 is a CMS parsing flaw in GnuPG's gpgsm that mishandles AES-GCM format by accepting 4 bytes instead of the required 12 bytes for aes-ICVlen. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-57062 Overview

CVE-2026-57062 affects the Cryptographic Message Syntax (CMS) parser in gpgsm, the S/MIME component of GnuPG through version 2.5.20. The parser mishandles the CMS format for AES-GCM by accepting an aes-ICVlen (Integrity Check Value length) of 4 bytes when the specification requires 12 bytes. This weakens the authentication guarantees of AES-GCM by reducing the effective integrity tag size. The flaw is related to CVE-2026-34182 and is classified under [CWE-1284] (Improper Validation of Specified Quantity in Input).

Critical Impact

An attacker with local access can craft CMS messages whose authentication tags are easier to forge, undermining the integrity properties of AES-GCM-protected content processed by gpgsm.

Affected Products

  • GnuPG through version 2.5.20
  • gpgsm CMS parser component
  • S/MIME workflows that rely on gpgsm for AES-GCM decryption or verification

Discovery Timeline

  • 2026-06-23 - CVE-2026-57062 published to the National Vulnerability Database (NVD)
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-57062

Vulnerability Analysis

The vulnerability resides in how gpgsm parses CMS structures that wrap AES-GCM authenticated content. AES-GCM uses an Integrity Check Value, commonly referred to as the authentication tag, to detect tampering of ciphertext and associated data. The CMS profile for AES-GCM specifies that the aes-ICVlen field must be 12 bytes. The gpgsm parser accepts a value of 4 bytes without rejecting the message. A shorter tag dramatically lowers the work required to forge a valid ciphertext, because the probability of a random tag collision scales with tag length.

The issue is closely related to CVE-2026-34182, which covers an adjacent flaw in the same parsing logic. Successful exploitation requires local access and high attack complexity, and the resulting impact is limited to integrity loss rather than confidentiality or availability.

Root Cause

The root cause is missing validation of the aes-ICVlen parameter inside the CMS AES-GCM content type handler in gpgsm. The parser does not enforce the 12-byte requirement mandated by the CMS specification and instead accepts non-compliant tag lengths. This is a classic improper input validation defect categorized as [CWE-1284].

Attack Vector

A local attacker supplies a crafted CMS message to gpgsm in which the AES-GCM structure declares a 4-byte ICV. When gpgsm processes the message, it uses the truncated tag for authentication. The attacker can then attempt forgeries against the weakened tag with significantly less effort than against a full 12-byte tag, enabling integrity attacks on CMS-protected content. No code execution or privilege escalation is required, and no user interaction is needed beyond standard processing of the malicious CMS object.

No public proof-of-concept or exploit code is currently available. Refer to the Calif.io blog post on ciphertext formatting for background on related CMS parsing issues.

Detection Methods for CVE-2026-57062

Indicators of Compromise

  • CMS messages processed by gpgsm that contain an aes-ICVlen value other than 12 bytes
  • Unexpected S/MIME or CMS payloads with truncated AES-GCM authentication tags
  • gpgsm invocations against attacker-supplied or untrusted CMS files on multi-user systems

Detection Strategies

  • Inspect CMS objects with ASN.1 decoders such as dumpasn1 or openssl asn1parse and flag any AES-GCM ICVlen not equal to 12.
  • Query installed GnuPG versions across the fleet and identify hosts running gpg or gpgsm from versions through 2.5.20.
  • Audit application logs for gpgsm processing of S/MIME content originating from untrusted sources.

Monitoring Recommendations

  • Monitor execution of the gpgsm binary on shared and multi-user hosts, correlating with the source of input files.
  • Track package inventory changes for gnupg, gnupg2, and gpgsm to confirm patch adoption.
  • Alert on CMS files written to user-writable directories that are later passed to gpgsm.

How to Mitigate CVE-2026-57062

Immediate Actions Required

  • Upgrade GnuPG to a version newer than 2.5.20 once a fixed release is published on the GnuPG download page.
  • Restrict gpgsm processing to CMS content from trusted senders until patched.
  • Review automated pipelines that decrypt or verify S/MIME messages with gpgsm and add upstream validation.

Patch Information

No fixed version is listed in the NVD record at the time of publication. Track the GnuPG download page and distribution security advisories for an update beyond 2.5.20 that enforces the 12-byte aes-ICVlen requirement. Apply the patch through the standard package manager once available.

Workarounds

  • Pre-validate incoming CMS messages with an external ASN.1 tool and reject any AES-GCM structure whose ICVlen is not 12 bytes before passing the message to gpgsm.
  • Limit local accounts that can invoke gpgsm against untrusted input, reducing exposure given the local attack vector.
  • Prefer alternative CMS or S/MIME processors that strictly enforce the AES-GCM tag length until GnuPG is updated.
bash
# Configuration example: reject CMS files with non-compliant AES-GCM ICV length
# before invoking gpgsm. Adjust the OID/path to match your toolchain.
icvlen=$(openssl asn1parse -in message.p7m -inform DER \
  | awk '/aes.*GCM/{found=1} found && /INTEGER/{print $NF; exit}')
if [ "$icvlen" != "12" ]; then
  echo "Rejecting CMS message: non-compliant aes-ICVlen=$icvlen" >&2
  exit 1
fi
gpgsm --decrypt message.p7m

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.