CVE-2026-57062 PUBLISHED

Assigner: mitre
Reserved: 23.06.2026 Published: 23.06.2026 Updated: 23.06.2026

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 2.9

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	GnuPG
Product	GnuPG
Versions	Default: unknown affected from 0 to 2.5.20 (incl.)

References

https://blog.calif.io/p/how-to-format-a-ciphertext
https://www.gnupg.org/download/

Problem Types

CWE-1284 Improper Validation of Specified Quantity in Input CWE