CVE-2026-41990: Medium severity gnupg Libgcrypt vulnerability
Published Apr 23, 2026
·Updated
Last updated 27 May 2026
Other sources
Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
— MITRE
Affected Software
3 affected componentsFixes available
gnupg Libgcrypt<1.12.2
gnupg Libgcrypt>=1.12.0<1.12.2
debian/libgcrypt20
1.8.7-61.10.1-31.10.1-3+deb12u11.11.0-71.11.0-7+deb13u11.12.2-1
Event History
Apr 23, 2026
CVE Published
via MITRE·04:39 AM
Data Sourced
via MITRE·04:39 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 AM
DescriptionSeverityWeaknessAffected Software
May 27, 2026
Data Sourced
via Launchpad·02:12 PM
Description
Data Sourced
via Debian·02:14 PM
DescriptionAffected Software
May 28, 2026
Data Sourced
via Ubuntu·02:13 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-41990?
CVE-2026-41990 is considered a moderate severity vulnerability due to the potential for mishandling bounds checks.
2
How do I fix CVE-2026-41990?
To fix CVE-2026-41990, upgrade Libgcrypt to version 1.12.2 or later.
3
What software is affected by CVE-2026-41990?
CVE-2026-41990 affects Libgcrypt versions prior to 1.12.2.
4
What are the consequences of CVE-2026-41990?
The consequences of CVE-2026-41990 include potential memory corruption due to improper array bounds checks.
5
Is CVE-2026-41990 exploitable by attackers?
CVE-2026-41990 does not use attacker-controlled data, making direct exploitation unlikely.