Cyber Resilience

CVE-2026-24881

HighPublic PoCUpdated

Published: 27 January 2026

Published
27 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0198 78.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24881 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Gnupg Gnupg. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 22.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24881 is a stack-based buffer overflow vulnerability (CWE-121) affecting GnuPG versions before 2.5.17, specifically in the gpg-agent component. The issue arises when processing a crafted CMS (S/MIME) EnvelopedData message containing an oversized wrapped session key during PKDECRYPT operations with the --kem=CMS option. Published on January 27, 2026, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely over the network without privileges or user interaction, though it requires high attack complexity. A maliciously crafted message can trigger the buffer overflow, reliably causing denial of service via crashes in gpg-agent. Additionally, the resulting memory corruption may enable remote code execution under certain conditions, allowing attackers to compromise systems handling such S/MIME-encrypted content.

Advisories recommend upgrading to GnuPG 2.5.17 or later to mitigate the vulnerability, as detailed in the GnuPG development ticket at https://dev.gnupg.org/T8044 and the oss-security mailing list announcement at https://www.openwall.com/lists/oss-security/2026/01/27/8.

EU & UK References

Vulnerability details

In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also…

more

memory corruption that could lead to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Stack-based buffer overflow in gpg-agent enables reliable DoS via crashes (T1499.004) and potential RCE through memory corruption when processing crafted network-delivered S/MIME messages (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24882Same product: Gnupg Gnupg
CVE-2025-70304Shared CWE-121
CVE-2025-67432Shared CWE-121
CVE-2025-54480Shared CWE-121
CVE-2020-37122Shared CWE-121
CVE-2025-69195Shared CWE-121
CVE-2026-43661Shared CWE-121
CVE-2019-25434Shared CWE-121
CVE-2025-70252Shared CWE-121
CVE-2019-25321Shared CWE-121

Affected Assets

gnupg
gnupg
2.5.13 — 2.5.17
gpg4win
gpg4win
5.0.0 — 5.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-24881 by requiring timely patching of GnuPG to version 2.5.17 or later to remediate the stack-based buffer overflow.

prevent

Implements memory protections like stack canaries and non-executable memory to prevent exploitation of the stack-based buffer overflow leading to memory corruption or RCE.

prevent

Requires validation of CMS EnvelopedData inputs to reject oversized wrapped session keys that trigger the buffer overflow in gpg-agent.

References