Page MenuHome GnuPG
Create Task
Maniphest T7996

Release GnuPG 2.5.17 (security)
Open, LowPublic
Actions

Description

Noteworthy changes in version 2.5.17 (2026-01-27)

  • agent: Fix stack buffer overflow when using gpgsm and KEM. This was introduced with 2.5.13; see above. [T8044]
  • tpm: Fix possible buffer overflow in PKDECRYPT. [T8045]
  • gpg: Fix possible NULL-deref with overlong signature packets. [T8049]
  • gpg: New export-option "keep-expired-subkeys". [T7990]
  • gpgsm: Make multiple search patterns work with keyboxd. [T8026]
  • agent: Add accelerator keys for "Wrong" and "Correct". [T8055]
  • dirmngr: Help detection of bad keyserver configurations. [T7730]

(prev: T7995 next: T7999)

Details

External Link
https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html

Related Objects

Event Timeline

werner triaged this task as Low priority.Dec 29 2025, 11:42 PM
werner created this task.
werner created this object with edit policy "Administrators".
werner mentioned this in T7995: Release GnuPG 2.5.16.Dec 29 2025, 11:46 PM
werner updated the task description. (Show Details)
werner mentioned this in T7999: Release GnuPG 2.5.18.Dec 29 2025, 11:49 PM
thesamesam added a subscriber: thesamesam.Dec 30 2025, 12:19 AM
werner updated the task description. (Show Details)Dec 30 2025, 9:15 AM
werner updated the task description. (Show Details)
werner renamed this task from Release GnuPG 2.5.17 to Release GnuPG 2.5.17 (security).Tue, Jan 27, 3:44 PM
werner updated the task description. (Show Details)
werner changed the visibility from "Public (No Login Required)" to "g10code (Project)".
werner added a project: CVE.
werner added a comment.Tue, Jan 27, 3:47 PM

This is a security update

Impact:

These versions are affected:

  • GnuPG 2.5.16 (released 2025-12-30)
  • GnuPG 2.5.15 (released 2025-12-29)
  • GnuPG 2.5.14 (released 2025-11-19)
  • GnuPG 2.5.13 (released 2025-10-22)
  • Gpg4win 5.0.0 (released 2026-01-14)
  • Gpg4win 5.0.0-beta479 (released 2026-01-02)
  • Gpg4win 5.0.0-beta476 (released 2025-12-22)
  • Gpg4win 5.0.0-beta395 (released 2025-10-22)

All other versions are not affected.

A crafted CMS (S/MIME) EnvelopedData message carrying an oversized
wrapped session key can cause a stack buffer overflow in gpg-agent
during the PKDECRYPT--kem=CMS handling. This can easily be used for a
DoS but, worse, the memory corruption can very likley also be used to
mount a remote code execution attack.

A CVE-id has not been assigned. We track this bug as T8044 under
https://dev.gnupg.org/T8044. This vulnerability was discovered by:
OpenAI Security Research. Their report was received on 2026-01-18;
fixed versions released 2026-01-27.

Solution:

If an affected GnuPG version is used please update ASAP to the new
version 2.5.17.

If an affected version of Gpg4win is used please update ASAP to the new
version 5.0.1.

If an immediate update is not possible please remove the gpgsm or
gpgsm.exe binary, this way the the bug can't be remotely triggered.

werner changed the visibility from "g10code (Project)" to "Public (No Login Required)".Tue, Jan 27, 5:11 PM
werner mentioned this in T8060: Release Gpg4win 5.0.1.Tue, Jan 27, 5:28 PM
werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html.Tue, Jan 27, 5:52 PM