CVE-2026-57062: CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.
Overview
- Severity
- Low (CVSS 2.9)
- CVSS Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2026-Jun
- Released
- 2026-06-27
- EPSS Score
- 0.11% (percentile: 1.5%)
Affected Products (1)
Other
Revision History
- 2026-06-27: Information published.