There is a remote code execution vulnerability in GnuPG via malformed ASCII armor. This has been fixed in upstream, but Fedora does not have the patch. Reproducible: Always Steps to Reproduce: See https://gpg.fail/memcpy or GnuPG commit 115d138ba599328005c5321c0ef9f00355838ca9 Actual Results: Memory corruption Expected Results: No memory corruption Additional Information: This is likely exploitable for code execution.
(moving to rawhide since a f42 bug was created and aligning severity with the other filed security bugs) Demi prepared a PR in https://src.fedoraproject.org/rpms/gnupg2/pull-request/25
FEDORA-2026-acea06489d (gnupg2-2.4.9-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-acea06489d
FEDORA-2026-acea06489d has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-acea06489d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-acea06489d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-acea06489d (gnupg2-2.4.9-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.