Peter Gutmann

**Name of the Vulnerable Software and Affected Versions** GnuPG versions 2.x through 2.0.16 **Description** The issue is related to a use-after-free vulnerability in the kbx/keybox-blob.c file of GPGSM in GnuPG. This vulnerability can be exploited by remote attackers who send a certificate with a large number of Subject Alternate Names, which is not properly handled during a realloc operation when importing the certificate or verifying its signature. This can cause a denial of service (crash) and possibly allow the execution of arbitrary code. Additionally, there are multiple vulnerabilities in the gnupg-agent package that can lead to violations of confidentiality, integrity, and availability of protected information, and these can be exploited remotely. **Recommendations** For GnuPG versions 2.x through 2.0.16, update to a version later than 2.0.16 to resolve the issue. As a temporary workaround, consider restricting the import of certificates with a large number of Subject Alternate Names to minimize the risk of exploitation.