Openai Security Research

**Name of the Vulnerable Software and Affected Versions** GnuPG versions prior to 2.5.17 **Description** A specially crafted CMS (S/MIME) EnvelopedData message with an oversized wrapped session key can lead to a stack-based buffer overflow in `gpg-agent` during `PKDECRYPT--kem=CMS` handling. This can result in denial of service, and potentially memory corruption leading to remote code execution. **Recommendations** Update GnuPG to version 2.5.17 or later.

**Name of the Vulnerable Software and Affected Versions** GnuPG versions prior to 2.5.17 **Description** GnuPG is a tool for encrypting data and creating digital signatures. A stack-based buffer overflow exists in the `tpm2daemon` component when handling the `PKDECRYPT` command for TPM-backed RSA and ECC keys. This issue could allow for arbitrary code execution. The vulnerability affects systems utilizing TPM-backed RSA/ECC key decryption operations. **Recommendations** Upgrade to GnuPG version 2.5.17 or later.