There is a buffer overread in the selftest_pbkdf function in libgcrypt.
The bug is triggered in this line:
for (tvidx=0; tv[tvidx].desc; tvidx++)
From what I can tell the idea here is to iterate over the tv array until it hits an element where desc is set to NULL. I.e. it assumes there is a terminating element with everything set to zero. However there is no such thing, so it overreads.
I'm attaching a patch.
I have to say I find this very concerning. The bug itself is not very relevant. However this is a bug triggered by the testsuite and can easily be detected by running tests with asan. Such a bug should be automatically discovered before it hits a release. Testing code with asan is imho one of the most basic security hygiene measurements for C-based software that I can think of.
I don't see any indication that libgcrypt is using any kind of CI. It probably should have one that is running the test suite with various safety and bug detection features enabled.