{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-57062", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-06-23T17:26:24.801Z", "datePublished": "2026-06-23T17:26:25.133Z", "dateUpdated": "2026-06-23T17:35:30.113Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "GnuPG", "vendor": "GnuPG", "versions": [{"lessThanOrEqual": "2.5.20", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-23T17:26:25.133Z"}, "references": [{"url": "https://blog.calif.io/p/how-to-format-a-ciphertext"}, {"url": "https://www.gnupg.org/download/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.5.20"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T17:35:24.722258Z", "id": "CVE-2026-57062", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T17:35:30.113Z"}}]}}

{}

{}

{"bugzilla": {"description": "GnuPG: Incorrect cryptographic message parsing", "id": "2491859", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491859"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "details": ["A flaw in GnuPG's gpgsm component improperly handles the Cryptographic Message Syntax (CMS) format for AES-GCM. By accepting an authentication tag length of 4 bytes instead of the required 12 bytes, this vulnerability allows for a low-impact data integrity issue where the cryptographic validity of messages could be compromised."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-57062", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "gnupg2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "gnupg2", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-23T17:26:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-57062\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-57062\nhttps://blog.calif.io/p/how-to-format-a-ciphertext\nhttps://www.gnupg.org/download/"], "statement": "A Low-impact flaw in GnuPG's gpgsm component accepts an incorrect AES-GCM authentication tag length in CMS messages. This compromises cryptographic data integrity, though confidentiality and availability are unaffected.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.20]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GnuPG", "source": "cna", "vendor": "GnuPG"}, "product": "gnupg", "vendor": "gnupg"}], "created": "2026-06-23T19:00:07.416963+00:00", "updated": "2026-06-24T13:15:15.415470+00:00", "vendors": ["gnupg", "gnupg$PRODUCT$gnupg"]}