CVE-2026-41990

Medium

Published: 23 April 2026

Published

23 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 4.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0002 3.7th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41990 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Gnupg Libgcrypt. Its CVSS base score is 4.0 (Medium).

Operationally, ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

Deeper analysisAI

CVE-2026-41990 affects Libgcrypt versions before 1.12.2, a cryptographic library used in GnuPG and related software. The vulnerability arises during Dilithium signing operations, where writes to a static array lack a bounds check, leading to a CWE-787 (Out-of-bounds Write) condition. Although the writes do not involve attacker-controlled data, this flaw has a CVSS v3.1 base score of 4.0 (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating low severity with primarily local impact.

A local attacker with no privileges can potentially exploit this vulnerability, but it requires high attack complexity and provides no user interaction vector. Successful exploitation could result in low-level integrity and availability disruptions, such as minor data corruption or denial of specific signing operations, though the absence of attacker-controlled input limits the practical scope and impact.

Advisories referenced in the GnuPG development tracker (T8208), gnupg-announce mailing list, and oss-security discussion recommend updating to Libgcrypt 1.12.2, which includes the necessary bounds checks to prevent the out-of-bounds writes during Dilithium signing.