Cyber Resilience

CVE-2026-41989

Medium

Published: 23 April 2026

Published
23 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0018 7.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-41989 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Gnupg Libgcrypt. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2026-41989 is a heap-based buffer overflow vulnerability (CWE-787) affecting Libgcrypt versions before 1.12.2. The flaw occurs when the gcry_pk_decrypt function processes crafted ECDH ciphertext, potentially leading to a denial of service. Published on 2026-04-23, it carries a CVSS v3.1 base score of 6.7 (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting medium severity with impacts primarily on integrity and availability.

Exploitation requires local access (AV:L) and high attack complexity (AC:H), but no privileges (PR:N), user interaction (UI:N), or scope change (S:U). An unprivileged local attacker could supply malformed ECDH ciphertext to trigger the buffer overflow in gcry_pk_decrypt, achieving high integrity violation (I:H)—such as memory corruption—and high availability disruption (A:H), like application crashes or denial of service, with no confidentiality impact (C:N).

Advisories recommend upgrading to Libgcrypt 1.12.2, which addresses the issue. Detailed information is available in the GnuPG development ticket at https://dev.gnupg.org/T8211, the GnuPG announce mailing list post at https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html, and the OSS-Security mailing list discussion at https://www.openwall.com/lists/oss-security/2026/04/21/1.

EU & UK References

Vulnerability details

Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap buffer overflow in gcry_pk_decrypt enables local memory corruption leading to application crashes/DoS via crafted ECDH input (matches Application or System Exploitation sub-technique).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-3345Same product: Gnupg Libgcrypt
CVE-2021-37563Shared CWE-787
CVE-2023-0182Shared CWE-787
CVE-2021-36417Shared CWE-787
CVE-2022-32045Shared CWE-787
CVE-2022-40961Shared CWE-787
CVE-2022-40657Shared CWE-787
CVE-2023-31906Shared CWE-787
CVE-2022-32052Shared CWE-787
CVE-2022-0904Shared CWE-787

Affected Assets

gnupg
libgcrypt
1.8.8 — 1.10.4 · 1.11.0 — 1.11.3 · 1.12.0 — 1.12.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of flaws in software components such as Libgcrypt by applying the vendor-supplied update to version 1.12.2 that eliminates the gcry_pk_decrypt buffer overflow.

prevent

Requires memory protection mechanisms that can mitigate exploitation of the heap-based buffer overflow triggered by crafted ECDH ciphertext.

prevent

Mandates use of approved cryptographic modules whose implementations must be free of the documented Libgcrypt ECDH decryption flaw.

References