CVE-2026-41989: Buffer Overflow
Published Apr 23, 2026
·Updated
Last updated 27 May 2026
Other sources
Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcrypkdecrypt.
— MITRE
Affected Software
7 affected componentsFixes available
gnupg Libgcrypt<1.12.2
gnupg Libgcrypt>=1.8.8<1.10.4
gnupg Libgcrypt>=1.11.0<1.11.3
gnupg Libgcrypt>=1.12.0<1.12.2
Microsoft azl3 libgcrypt 1.10.3-1
Microsoft azl3 libgcrypt 1.10.3-2
debian/libgcrypt20<=1.10.1-3, <=1.11.0-7
1.8.7-61.10.1-3+deb12u11.11.0-7+deb13u11.12.2-1
Event History
Apr 23, 2026
CVE Published
via MITRE·04:30 AM
Data Sourced
via MITRE·04:30 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 AM
DescriptionSeverityWeaknessAffected Software
Apr 24, 2026
Data Sourced
via Microsoft·08:05 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:05 AM
Affected Software
Updated
via Microsoft·08:05 AM
DescriptionSeverity
May 27, 2026
Data Sourced
via Launchpad·02:12 PM
Description
Data Sourced
via Debian·02:13 PM
DescriptionAffected Software
May 28, 2026
Data Sourced
via Ubuntu·02:13 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-41989?
CVE-2026-41989 has a high severity due to the potential for heap-based buffer overflow and denial of service.
2
How do I fix CVE-2026-41989?
To fix CVE-2026-41989, update libgcrypt to version 1.12.2 or later.
3
What software is affected by CVE-2026-41989?
CVE-2026-41989 affects libgcrypt versions prior to 1.12.2.
4
What might be the impact of CVE-2026-41989?
The impact of CVE-2026-41989 includes potential denial of service and security compromise through crafted ECDH ciphertext.
5
Is CVE-2026-41989 remotely exploitable?
Yes, CVE-2026-41989 is remotely exploitable if an attacker can send crafted ECDH ciphertext to the vulnerable software.