CVE-2020-25125: High severity gnupg 2 (gnu privacy guard) vulnerability

Published Sep 3, 2020

Updated

GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version.

Affected Software

3 affected components

gnupg GnuPG=2.2.21

gnupg GnuPG=2.2.22

Gpg4win Gpg4win=3.1.12

Remediation

Patch Available

https://dev.gnupg.org/rG8ec9573e57866dda5efb4677d4454161517484bc

Event History

Sep 3, 2020

CVE Published

via MITRE·05:48 PM

Data Sourced

via MITRE·05:48 PM

Description

Frequently Asked Questions

What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2020-25125.

What is the severity of CVE-2020-25125?

The severity of CVE-2020-25125 is high, with a CVSS score of 7.8.

Which software versions are affected by CVE-2020-25125?

The affected software versions are GnuPG 2.2.21, GnuPG 2.2.22, and Gpg4win 3.1.12.

What is the impact of CVE-2020-25125?

The impact of CVE-2020-25125 can lead to a crash or possibly unspecified other impact.

How can I fix CVE-2020-25125?

There is no known fix or patch available for CVE-2020-25125 at the moment. It is recommended to follow the provided references for any updates or mitigation strategies.