CVE-2026-24882: Buffer Overflow
Published Jan 27, 2026
·Updated
In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.
Affected Software
3 affected components
gnupg GnuPG<2.5.17
gnupg GnuPG>=2.5.13<2.5.17
Gpg4win Gpg4win>=5.0.0<5.0.1
Event History
Jan 27, 2026
CVE Published
via MITRE·06:40 PM
Data Sourced
via MITRE·06:40 PM
DescriptionSeverityWeakness
Data Sourced
via Red Hat·07:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·07:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-24882?
CVE-2026-24882 is considered a critical vulnerability due to its potential for arbitrary code execution through a stack-based buffer overflow.
2
How do I fix CVE-2026-24882?
To fix CVE-2026-24882, update GnuPG to version 2.5.17 or later, which addresses the vulnerability.
3
What versions of GnuPG are affected by CVE-2026-24882?
CVE-2026-24882 affects all versions of GnuPG prior to 2.5.17.
4
Is CVE-2026-24882 related to TPM-backed keys?
Yes, CVE-2026-24882 specifically affects the handling of PKDECRYPT commands for TPM-backed RSA and ECC keys in GnuPG.
5
What type of vulnerability is CVE-2026-24882?
CVE-2026-24882 is a stack-based buffer overflow vulnerability found in the tpm2daemon component of GnuPG.