CVE-2026-57062

LOW NVD

CVSS Score 2.9

Severity LOW

Published Jun 23, 2026

Vendor unknown

Description

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

References

https://blog.calif.io/p/how-to-format-a-ciphertext
https://www.gnupg.org/download/