CVE-2026-24883

Published: Jan 27, 2026Modified: Feb 6, 2026

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).

Affected (2)

Products: Gnupg: Gnupg · Gpg4win: Gpg4win

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Gnupg Gnupg	From 2.5.13 to 2.5.17
Gpg4win Gpg4win	From 5.0.0 to 5.0.1

Related CWEs

CWE-476

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

References (2)

https://dev.gnupg.org/T8049

Source: cve@mitre.org

PatchProduct

https://www.openwall.com/lists/oss-security/2026/01/27/8

Source: cve@mitre.org

Mailing ListThird Party Advisory

Timeline

No history available yet.