GnuPG through version 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
Created gnupg2 tracking bugs for this issue:
Affects: fedora-all [bug 1563931]
Created gnupg tracking bugs for this issue:
Affects: fedora-all [bug 1563932]
Normally master keys are more protected than signing or encryption subkeys. Since master key can actually be used to prove someone's identity. Subkeys on other hand can you used to sign/verify and encrypt/decrypt messages in place of the master keys. However the procedure of signing someones keys requires the master key. The flaw allows the signing subkey to sign someones keys, without the use of the master key, when smartcards are used. This seems to be only a minor security bypass, since technically subkeys also need to have some form of security around them.