CVE-2026-24883: Null Pointer Dereference

Q: What is the severity of CVE-2026-24883?

CVE-2026-24883 is considered a denial of service vulnerability due to the potential for application crashes.

Q: How do I fix CVE-2026-24883?

To mitigate CVE-2026-24883, update GnuPG to version 2.5.17 or later.

Q: What causes CVE-2026-24883?

CVE-2026-24883 is caused by a long signature packet length that results in a NULL value in sig->data[].

Published Jan 27, 2026

Updated

In GnuPG before 2.5.17, a long signature packet length causes parsesignature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).

Affected Software

3 affected components

gnupg GnuPG<2.5.17

gnupg GnuPG>=2.5.13<2.5.17

Gpg4win Gpg4win>=5.0.0<5.0.1

Remediation

Patch Available

https://dev.gnupg.org/T8049

Event History

Jan 27, 2026

CVE Published

via MITRE·06:43 PM

Data Sourced

via MITRE·06:43 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·07:16 PM

RemedyDescriptionSeverityWeaknessAffected Software

Jan 13, 58074

Event

via FIRST·03:03 PM

Frequently Asked Questions

What is the severity of CVE-2026-24883?

CVE-2026-24883 is considered a denial of service vulnerability due to the potential for application crashes.

How do I fix CVE-2026-24883?

To mitigate CVE-2026-24883, update GnuPG to version 2.5.17 or later.

What causes CVE-2026-24883?

CVE-2026-24883 is caused by a long signature packet length that results in a NULL value in sig->data[].

Which versions of GnuPG are affected by CVE-2026-24883?

GnuPG versions prior to 2.5.17 are affected by CVE-2026-24883.

Can CVE-2026-24883 be exploited remotely?

Yes, CVE-2026-24883 can be exploited remotely, leading to a denial of service through crafted signature packets.