GnuPG Verification Denial-of-Service Vulnerability via Malicious Subkey Data

A denial-of-service vulnerability affecting GnuPG versions prior to 2.5.5 has been identified. This issue arises when a user imports a certificate containing crafted subkey data that either lacks a valid backsignature or has incorrect usage flags. As a result, the user is unable to verify signatures from certain signing keys, leading to a verification denial-of-service.

Impact

Exploitation of this vulnerability causes a verification denial-of-service, where signatures from certain keys cannot be verified due to the presence of a malicious subkey in the keyring.

Reproduction

The vulnerability can be reproduced by importing a crafted OpenPGP certificate that includes a signature subkey without a proper backsignature or with incorrect usage flags. After importing this certificate, attempts to verify signatures from affected signing keys will fail, demonstrating the denial-of-service effect on signature verification.

Remediation

Users can upgrade to GnuPG version 2.5.5 or later, where this vulnerability has been fixed.