Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: gnupg24

Found 4 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-57062
2.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    15 packages
    • pam_gnupg
    • gnupg-pkcs11-scd
    • phpExtensions.gnupg
    • php82Extensions.gnupg
    • php83Extensions.gnupg
    • php84Extensions.gnupg
    • php85Extensions.gnupg
    • sequoia-chameleon-gnupg
    • perlPackages.GnuPGInterface
    • perl5Packages.GnuPGInterface
    • perl538Packages.GnuPGInterface
    • perl540Packages.GnuPGInterface
    • python312Packages.python-gnupg
    • python313Packages.python-gnupg
    • python314Packages.python-gnupg
  • @LeSuisse ignored reference https://w…
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through …

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

Affected products

GnuPG
  • =<2.5.20

Matching in nixpkgs

pkgs.gnupg

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

pkgs.gnupg1

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation with symbolic links for gpg and gpgv

pkgs.gnupg24

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

pkgs.gnupg1compat

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation with symbolic links for gpg and gpgv

pkgs.gnupgMinimal

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

  • nixos-unstable -
    • nixpkgs-unstable 2.4.9
    • nixos-unstable-small 2.4.9
Ignored packages (15)

pkgs.pam_gnupg

Unlock GnuPG keys on login

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4
  • nixos-26.05 0.4
    • nixos-26.05-small 0.4
    • nixpkgs-26.05-darwin 0.4

Package maintainers

Untriaged
Permalink CVE-2026-24882
8.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 5 months ago Activity log
  • Created suggestion
In GnuPG before 2.5.17, a stack-based buffer overflow exists in …

In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

Affected products

GnuPG
  • <2.5.17

Matching in nixpkgs

pkgs.gnupg24

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

pkgs.pam_gnupg

Unlock GnuPG keys on login

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4

pkgs.gnupg1compat

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation with symbolic links for gpg and gpgv

Untriaged
Permalink CVE-2026-24881
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 5 months ago Activity log
  • Created suggestion
In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message …

In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.

Affected products

GnuPG
  • <2.5.17

Matching in nixpkgs

pkgs.gnupg24

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

pkgs.pam_gnupg

Unlock GnuPG keys on login

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4

pkgs.gnupg1compat

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation with symbolic links for gpg and gpgv

Untriaged
Permalink CVE-2026-24883
3.7 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 5 months ago Activity log
  • Created suggestion
In GnuPG before 2.5.17, a long signature packet length causes …

In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).

Affected products

GnuPG
  • <2.5.17

Matching in nixpkgs

pkgs.gnupg24

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation

pkgs.pam_gnupg

Unlock GnuPG keys on login

  • nixos-unstable 0.4
    • nixpkgs-unstable 0.4
    • nixos-unstable-small 0.4

pkgs.gnupg1compat

Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation with symbolic links for gpg and gpgv