FWIW: There is actually a problem in the reference code: Having a
fixed size buffer inside a function and allowing the caller to provide
content at arbitrary length is bad coding style because the caller
needs to know internals of the called function (in a different source
file).

This is the original bug report to security at gnupg dated 2026-04-07:

Here is the change:

diff --git a/configure.ac b/configure.ac
index 30be86b5..ac2696e5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3073,7 +3073,8 @@ AC_CHECK_FUNCS(strtoul memmove stricmp atexit raise)
 AC_CHECK_FUNCS(strerror rand mmap getpagesize sysconf waitpid wait4)
 AC_CHECK_FUNCS(gettimeofday getrusage gethrtime clock_gettime syslog)
 AC_CHECK_FUNCS(syscall fcntl ftruncate flockfile getauxval elf_aux_info)
-AC_CHECK_FUNCS(explicit_bzero explicit_memset getentropy sysctlbyname)
+AC_CHECK_FUNCS(memset_explicit explicit_bzero explicit_memset)
+AC_CHECK_FUNCS(getentropy sysctlbyname)

I found the description in ARM Architecture Reference Manual:
https://developer.arm.com/documentation/ddi0487/mb/-Part-D-The-AArch64-System-Level-Architecture/-Chapter-D11-The-Guarded-Control-Stack/-D11-1-Introduction/-D11-1-3-Overview?lang=en

1.8.13 (T8224) and 1.12.2 (T8114) are released

The minimum fix avoids changes needed, thus, a bit confusing as a whole.
Here are better changes:

Here is the fix:

Minimum fix is:

Pushed: rG8b6de59ad880: agent: Raise GPG_ERR_BAD_SECKEY when p >= q for RSA key.

While I pushed the change of libgcrypt, I'd like to apply following change to GnuPG.
This is more kind than GPG_ERR_BAD_PASSPHRASE by gcry_pk_testkey failure.

I retract my patch in T8171#215603

@m.eik gave us this link: https://github.com/ProtonMail/go-crypto/issues/184

Setting to low because this has never been a problem in the last 30 or 35 years. A check to help pinpointing bad keys is however a good idea.

I sent a patch to gcrypt-devel mailing list for the preparation of the change of RSA secret key checking.
If enabled, wrong RSA secret key (wrong means: under the Libre/OpenPGP specification) is rejected at import when gpg-agent calls gcry_pk_test_key.

BTW, LibrePGP also demands p < q in "Algorithm-Specific Part for RSA Keys".

For OpenSSH, ssh-agent spec. defines p, q, and qInv.
FIPS has: FIPS 186-5 and SP 800-56Br2.

existing standards

CRT is used with GnuPG. In libgcrypt, pk_sign and pk_decrypt don't require P, Q, and U in a key (it's optional), but pk_test_key does.

Du we have any information on whether the CRT is used and whether u et al. is also wrong? For example due to an OpenSSL generated key?

The reporter informed us that the possible DoS has CVE number assigned:
CVE-2025-69913

Fixed in 1.12.1.

Fixed in 1.12.0.

FWIW: Okay, gmime is still a wrapper around gpgme. After decryption it has the ability to get the used session key from the gpgme result structure. Thus, I have been on the wrong trail. The actual problem is not gpgme but more GnuPG's use of Libgcrypt or an actual regression in Libgcrypt. Well, Friday 13th.

Any hints where to find the actual crypto code which uses libgcrypt?

Maintainer of the FreeBSD notmuch port/package here. The steps below consistently trigger the problem on FreeBSD 16.0 (unreleased main branch), but there are no problems on FreeBSD 15.0. All my testing was on amd64.

Any hints where to find the actual crypto code which uses libgcrypt?

@thesamesam Thanks a lot.
I managed to replicate the failure somehow (for me, it fails at the importing the key).

I've attached notmuch-bug.log with debug-level guru commented out for gpg-agent:

I can reproduce it using Stuart's script from https://lists.gnupg.org/pipermail/gcrypt-devel/2026-February/006031.html.

Please tell us the information of your environment.
What the versions of gpg and gpg-agent?

We have seen the same thing on amd64 (x86_64) linux: https://bugs.gentoo.org/969501

No, OpenBSD's implementation of POSIX semaphore is different to NetBSD.
(It doesn't support PSHARED=1.)

Possibly, it is related to the NetBSD failure of T8065.
If importing the secret key fails (which invokes gpg-agent), decryption cannot be succeeded.
I will check OpenBSD implementation of POSIX semaphore, if it's similar to NetBSD one.

According to the ML @gniibe tried to replicate the problem without success.

Will go into 1.12.1

Thanks. Will go int the next version.

Thank you, that did indeed fix the problem!

Does following patch help?

Fixed in: rC2c1d41b5f86f: fips,cipher: Fix the regression with disabled public-key algo.

Re-opened because a regression is reported.

Backports have been done in both (1.10/1.11) branches.

Okay, let's backport this.

gpgrt 1.57 will come with gpgrt_fconcat. This can be used to get the sysconfig in a portable way:

@werner For rCd5e3cbfd , my mingw (GCC version 14) complains about the function-return-type difference of the prototype with GetProcAddress.

Scute fixed in rSc3dc9c581631: w32: Use CSIDL_COMMON_APPDATA if available.

Okay, forward porting that patch is the easiest solution. Actually this is not enough: Users of Libgcrypt also need to make sure that the new sysconfig dir has the right permissions. That's a part for the installer and concrete ACLs may differ.

I examined the code of gnupg_sysconfdir in gnupg/common/homedir.c, if we could factor out things to gpgrt, so that something like gpgrt_fconcat with GPGRT_SYSCONFDIR can be implemented.