Primary

Context

GnuPG Null Pointer Dereference Vulnerability in Signature Packet Parsing

Vulnerability

Patched

A null pointer dereference vulnerability has been identified in GnuPG versions prior to 2.5.17. The issue arises when a signature packet length is excessively long, causing the 'parse_signature' function to incorrectly return a success status while leaving the signature data pointer null. This flaw leads to an application crash when the null value is processed by subsequent functions.

Impact

Exploitation of this vulnerability causes an application crash, creating a denial-of-service condition.

Remediation

Users of GnuPG should update to version 2.5.17. For Gpg4win users, the update to version 5.0.1 is recommended. If an immediate update is not feasible, removing the 'gpgsm' or 'gpgsm.exe' binary can prevent the vulnerability from being triggered remotely.

Added: Jan 27, 2026, 7:19 PM

Updated: Jan 27, 2026, 7:19 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

8.3

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

8.3

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GnuPG Null Pointer Dereference Vulnerability in Signature Packet Parsing

Vulnerability

Impact

Remediation

Affected Products

GnuPG

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating