In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.
This does not affect any RHEL nor Fedora versions. Per https://dev.gnupg.org/T8044#211814 > Affected versions are 2.5.13 to 2.5.16. The other branches are not affected. Please, adjust accordingly. I will close the Fedora trackers.
Based on https://access.redhat.com/security/cve/cve-2026-24881 RHEL seem to be affected.
(In reply to MikeAnders from comment #3) > Based on https://access.redhat.com/security/cve/cve-2026-24881 RHEL seem to > be affected. Thats obviously wrong. See the affected versions on the openwall list: https://www.openwall.com/lists/oss-security/2026/01/27/8 The only part affecting RHEL10 is the tpm2daemon bug, but that one is tracked separately as CVE-2026-24882.