CVE-2026-41990
Published: 23 April 2026
Description
Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
Security SummaryAI
CVE-2026-41990 affects Libgcrypt versions before 1.12.2, a cryptographic library used in GnuPG and related software. The vulnerability arises during Dilithium signing operations, where writes to a static array lack a bounds check, leading to a CWE-787 (Out-of-bounds Write) condition. Although the writes do not involve attacker-controlled data, this flaw has a CVSS v3.1 base score of 4.0 (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating low severity with primarily local impact.
A local attacker with no privileges can potentially exploit this vulnerability, but it requires high attack complexity and provides no user interaction vector. Successful exploitation could result in low-level integrity and availability disruptions, such as minor data corruption or denial of specific signing operations, though the absence of attacker-controlled input limits the practical scope and impact.
Advisories referenced in the GnuPG development tracker (T8208), gnupg-announce mailing list, and oss-security discussion recommend updating to Libgcrypt 1.12.2, which includes the necessary bounds checks to prevent the out-of-bounds writes during Dilithium signing.
Details
- CWE(s)