CVE-2026-57062 - Vulnerability Details

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Gnupg	Gnupg

No data.

References

Link	Providers
https://blog.calif.io/p/how-to-format-a-ciphertext
https://www.gnupg.org/download/

History

Tue, 23 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.
First Time appeared		Gnupg Gnupg gnupg
Weaknesses		CWE-1284
CPEs		cpe:2.3:a:gnupg:gnupg::::::::
Vendors & Products		Gnupg Gnupg gnupg
References		https://blog.calif.io/p/how-to-format-a-ciphertext https://www.gnupg.org/download/
Metrics		cvssV3_1 `{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-23T17:26:25.133Z

Updated: 2026-06-23T17:35:30.113Z

Reserved: 2026-06-23T17:26:24.801Z

Link: CVE-2026-57062

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object