CVE-2026-24881

HighPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 42.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also…

memory corruption that could lead to remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-24881 by requiring timely patching of GnuPG to version 2.5.17 or later to remediate the stack-based buffer overflow.

SI-16 Memory Protection good match

prevent

Implements memory protections like stack canaries and non-executable memory to prevent exploitation of the stack-based buffer overflow leading to memory corruption or RCE.

SI-10 Information Input Validation partial match

prevent

Requires validation of CMS EnvelopedData inputs to reject oversized wrapped session keys that trigger the buffer overflow in gpg-agent.

Security SummaryAI

CVE-2026-24881 is a stack-based buffer overflow vulnerability (CWE-121) affecting GnuPG versions before 2.5.17, specifically in the gpg-agent component. The issue arises when processing a crafted CMS (S/MIME) EnvelopedData message containing an oversized wrapped session key during PKDECRYPT operations with the --kem=CMS option. Published on January 27, 2026, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely over the network without privileges or user interaction, though it requires high attack complexity. A maliciously crafted message can trigger the buffer overflow, reliably causing denial of service via crashes in gpg-agent. Additionally, the resulting memory corruption may enable remote code execution under certain conditions, allowing attackers to compromise systems handling such S/MIME-encrypted content.

Advisories recommend upgrading to GnuPG 2.5.17 or later to mitigate the vulnerability, as detailed in the GnuPG development ticket at https://dev.gnupg.org/T8044 and the oss-security mailing list announcement at https://www.openwall.com/lists/oss-security/2026/01/27/8.

Details

CWE(s): CWE-121

Affected Products

gnupg

2.5.13 — 2.5.17

gpg4win

5.0.0 — 5.0.1

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in gpg-agent enables reliable DoS via crashes (T1499.004) and potential RCE through memory corruption when processing crafted network-delivered S/MIME messages (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://dev.gnupg.org/T8044
Exploit, Product · cve@mitre.org
https://www.openwall.com/lists/oss-security/2026/01/27/8
Mailing List, Third Party Advisory · cve@mitre.org