GnuPG Fixes Critical KEM Stack Buffer Overflow
GnuPG on Jan. 27, 2026 released version 2.5.17 to fix a critical stack buffer overflow in gpg-agent affecting versions 2.5.13–2.5.16 and related Gpg4win releases. The flaw, reported by OpenAI Security Research on Jan. 18, 2026, is triggered by crafted CMS/S-MIME EnvelopedData with an oversized wrapped session key and can lead to DoS or likely remote code execution. Users must update immediately.
Key Points
- 1Patch fixes stack buffer overflow in gpg-agent triggered by malformed CMS EnvelopedData.
- 2Vulnerability enables DoS and likely remote code execution via oversized wrapped session keys.
- 3Upgrade to GnuPG 2.5.17 or Gpg4win 5.0.1; remove gpgsm to mitigate if delayed.
Scoring Rationale
High practical impact and official release, enabling immediate remediation, but limited to GnuPG/Gpg4win 2.5.13–2.5.16 users.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
