CVE-2026-57062

low

Description

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

References

https://www.gnupg.org/download/

https://blog.calif.io/p/how-to-format-a-ciphertext

Details

Source: Mitre, NVD

Published: 2026-06-23

Updated: 2026-06-23

Risk Information

CVSS v2

Base Score: 1.2

Vector: CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 2.9

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N