[pkg-gnupg-maint] Bug#1126630: gnupg2: CVE-2026-24883
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 30 17:50:41 GMT 2026
Control: notfound -1 2.4.8-5
On Thu, Jan 29, 2026 at 11:09:18PM +0100, Salvatore Bonaccorso wrote:
> Source: gnupg2
> Version: 2.4.8-5
> Severity: important
> Tags: security upstream
> Forwarded: https://dev.gnupg.org/T8049
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for gnupg2.
>
> CVE-2026-24883[0]:
> | In GnuPG before 2.5.17, a long signature packet length causes
> | parse_signature to return success with sig->data[] set to a NULL
> | value, leading to a denial of service (application crash).
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2026-24883
> https://www.cve.org/CVERecord?id=CVE-2026-24883
> [1] https://dev.gnupg.org/T8049
>
> Please adjust the affected versions in the BTS as needed.
This was actually only introduced in 2.5.3 according to the above
upstream referenced issue. So not affecting any of our releases
afaics.
Regards,
Salvatore
More information about the pkg-gnupg-maint
mailing list