Bug 2433480 (CVE-2026-24881)

Summary: CVE-2026-24881 GnuPG: GnuPG: Remote code execution and denial of service via crafted CMS EnvelopedData message
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: crizzo, gtanzill, jbuscemi, jjelen, jmitchel, kshier, michael.jons, pbohmill, prodsec-dev, teagle
Target Milestone: ---Keywords: Security
Target Release: ---Flags: jjelen: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GnuPG. A remote attacker could exploit this vulnerability by sending a specially crafted Cryptographic Message Syntax (CMS) EnvelopedData message. This message, containing an oversized wrapped session key, can cause a stack-based buffer overflow in the gpg-agent component. Successful exploitation may lead to a denial of service and potentially remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2433666, 2433670, 2433672, 2433673    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-27 19:02:54 UTC 
In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.
Comment 2 Jakub Jelen 2026-01-28 16:50:46 UTC 
This does not affect any RHEL nor Fedora versions. Per https://dev.gnupg.org/T8044#211814

> Affected versions are 2.5.13 to 2.5.16. The other branches are not affected.

Please, adjust accordingly. I will close the Fedora trackers.
Comment 3 MikeAnders 2026-02-03 03:39:24 UTC 
Based on https://access.redhat.com/security/cve/cve-2026-24881 RHEL seem to be affected.
Comment 4 Jakub Jelen 2026-02-03 08:41:22 UTC 
(In reply to MikeAnders from comment #3)
> Based on https://access.redhat.com/security/cve/cve-2026-24881 RHEL seem to
> be affected.

Thats obviously wrong. See the affected versions on the openwall list:

https://www.openwall.com/lists/oss-security/2026/01/27/8

The only part affecting RHEL10 is the tpm2daemon bug, but that one is tracked separately as CVE-2026-24882.