Libgcrypt

libgcrypt

Vendor: Gnupg • 17 CVEs

CVEs (17)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-41990 1Gnupg 1Libgcrypt Apr 27, 2026 Apr 23, 2026 N/A· v4 4.0 MEDIUM· v3 N/A· v2 Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
CVE-2026-41989 1Gnupg 1Libgcrypt Apr 27, 2026 Apr 23, 2026 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.
CVE-2021-40528 1Gnupg 1Libgcrypt Jun 9, 2025 Sep 6, 2021 N/A· v4 5.9 MEDIUM· v3 2.6 LOW· v2 The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's publi...Show more The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.Show less
CVE-2021-33560 4Debian FedoraprojectGnupg+1 more 8Communications Cloud Native Core Binding Support Function Communications Cloud Native Core Network Function Cloud Native EnvironmentCommunications Cloud Native Core Network Repository Function+5 more Dec 3, 2025 Jun 8, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for...Show more Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.Show less
CVE-2021-3345 2Gnupg Oracle 2Communications Billing And Revenue Management Libgcrypt Nov 21, 2024 Jan 29, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.
CVE-2015-0837 2Debian Gnupg 3Debian Linux GnupgLibgcrypt Nov 21, 2024 Nov 29, 2019 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation,...Show more The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."Show less
CVE-2014-3591 2Debian Gnupg 3Debian Linux GnupgLibgcrypt Nov 21, 2024 Nov 29, 2019 N/A· v4 4.2 MEDIUM· v3 1.9 LOW· v2 Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using cr...Show more Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.Show less
CVE-2019-12904 2Gnupg Opensuse 2Leap Libgcrypt Nov 21, 2024 Jun 20, 2019 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an ass...Show more In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attackShow less
CVE-2017-7526 3Canonical DebianGnupg 3Debian Linux LibgcryptUbuntu Linux Nov 21, 2024 Jul 26, 2018 N/A· v4 6.8 MEDIUM· v3 4.3 MEDIUM· v2 libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is...Show more libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.Show less
CVE-2018-0495 5Canonical DebianGnupg+2 more 8Ansible Tower Debian LinuxEnterprise Linux Desktop+5 more Nov 21, 2024 Jun 13, 2018 N/A· v4 4.7 MEDIUM· v3 1.9 LOW· v2 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign functi...Show more Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.Show less
CVE-2018-6829 1Gnupg 1Libgcrypt Nov 21, 2024 Feb 7, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not hav...Show more cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.Show less
CVE-2017-0379 2Debian Gnupg 2Debian Linux Libgcrypt May 13, 2026 Aug 29, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.
CVE-2017-9526 1Gnupg 1Libgcrypt May 13, 2026 Jun 11, 2017 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to s...Show more In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.Show less
CVE-2016-6313 3Canonical DebianGnupg 4Debian Linux GnupgLibgcrypt+1 more May 6, 2026 Dec 13, 2016 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveragin...Show more The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.Show less
CVE-2015-7511 3Canonical DebianGnupg 3Debian Linux LibgcryptUbuntu Linux May 6, 2026 Apr 19, 2016 N/A· v4 2.0 LOW· v3 1.9 LOW· v2 Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanation...Show more Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.Show less
CVE-2014-5270 2Debian Gnupg 2Debian Linux Libgcrypt May 6, 2026 Oct 10, 2014 N/A· v4 N/A· v3 2.1 LOW· v2 Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extrac...Show more Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.Show less
CVE-2013-4242 4Canonical DebianGnupg+1 more 5Debian Linux GnupgLibgcrypt+2 more Apr 29, 2026 Aug 19, 2013 N/A· v4 N/A· v3 1.9 LOW· v2 GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.