Cyber Resilience

CVE-2026-41990

Medium

Published: 23 April 2026

Published
23 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0018 7.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-41990 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Gnupg Libgcrypt. Its CVSS base score is 4.0 (Medium).

Operationally, ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-41990 affects Libgcrypt versions before 1.12.2, a cryptographic library used in GnuPG and related software. The vulnerability arises during Dilithium signing operations, where writes to a static array lack a bounds check, leading to a CWE-787 (Out-of-bounds Write) condition. Although the writes do not involve attacker-controlled data, this flaw has a CVSS v3.1 base score of 4.0 (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating low severity with primarily local impact.

A local attacker with no privileges can potentially exploit this vulnerability, but it requires high attack complexity and provides no user interaction vector. Successful exploitation could result in low-level integrity and availability disruptions, such as minor data corruption or denial of specific signing operations, though the absence of attacker-controlled input limits the practical scope and impact.

Advisories referenced in the GnuPG development tracker (T8208), gnupg-announce mailing list, and oss-security discussion recommend updating to Libgcrypt 1.12.2, which includes the necessary bounds checks to prevent the out-of-bounds writes during Dilithium signing.

EU & UK References

Vulnerability details

Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-3345Same product: Gnupg Libgcrypt
CVE-2022-27525Shared CWE-787
CVE-2023-21054Shared CWE-787
CVE-2022-41522Shared CWE-787
CVE-2023-23585Shared CWE-787
CVE-2021-34875Shared CWE-787
CVE-2021-26675Shared CWE-787
CVE-2020-27005Shared CWE-787
CVE-2021-44143Shared CWE-787
CVE-2023-39828Shared CWE-787

Affected Assets

gnupg
libgcrypt
1.12.0 — 1.12.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant software updates such as the Libgcrypt 1.12.2 bounds-check fix.

prevent

Enforces approved software versions and configuration settings that would mandate the patched Libgcrypt release.

detect

Requires scanning to identify systems running the vulnerable Libgcrypt version prior to exploitation.

References