In GnuPG before version 2.5.17, a crafted CMS (S/MIME) EnvelopedData message that carries an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This vulnerability allows attackers to leverage the situation for denial of service, and potentially lead to memory corruption that could result in remote code execution. Given the CVSS score of 8.1, categorized as high severity, this vulnerability poses a significant risk to organizations.
Risk to organizations includes the potential for remote code execution that can be exploited by attackers, highlighting the importance of swift remediation. Organizations should prioritize patching immediately to protect their systems from this vulnerability.
As of now, there is no known public exploit for this vulnerability, but the exploitability is classified as high. This means organizations should remain vigilant and monitor their environments closely.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)