CVE-2026-41990
Published: 23 April 2026
Summary
CVE-2026-41990 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Gnupg Libgcrypt. Its CVSS base score is 4.0 (Medium).
Operationally, ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-41990 affects Libgcrypt versions before 1.12.2, a cryptographic library used in GnuPG and related software. The vulnerability arises during Dilithium signing operations, where writes to a static array lack a bounds check, leading to a CWE-787 (Out-of-bounds Write) condition. Although the writes do not involve attacker-controlled data, this flaw has a CVSS v3.1 base score of 4.0 (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating low severity with primarily local impact.
A local attacker with no privileges can potentially exploit this vulnerability, but it requires high attack complexity and provides no user interaction vector. Successful exploitation could result in low-level integrity and availability disruptions, such as minor data corruption or denial of specific signing operations, though the absence of attacker-controlled input limits the practical scope and impact.
Advisories referenced in the GnuPG development tracker (T8208), gnupg-announce mailing list, and oss-security discussion recommend updating to Libgcrypt 1.12.2, which includes the necessary bounds checks to prevent the out-of-bounds writes during Dilithium signing.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25193
Vulnerability details
Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant software updates such as the Libgcrypt 1.12.2 bounds-check fix.
Enforces approved software versions and configuration settings that would mandate the patched Libgcrypt release.
Requires scanning to identify systems running the vulnerable Libgcrypt version prior to exploitation.