CVE-2026-24881

Name of the Vulnerable Software and Affected Versions GnuPG versions prior to 2.5.17

Description A specially crafted CMS (S/MIME) EnvelopedData message with an oversized wrapped session key can lead to a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can result in denial of service, and potentially memory corruption leading to remote code execution.

Recommendations Update GnuPG to version 2.5.17 or later.