What is CVE-2026-57062?

CVE-2026-57062 is a low-severity vulnerability in Gnupg, classified under Improper Validation of Specified Quantity in Input. CVSS score: 2.9/10. Published 2026-06-23.

How severe is CVE-2026-57062?

Low severity. CVSS v3 base score is 2.9 out of 10.

Vulnerability in Gnupg

CVE-2026-57062

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

CVSS v3 metric

CVSS v3 base score 2.9 (Low). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Gnupg — versions 0

Weakness classification (CWE)

CWE-1284 — Improper Validation of Specified Quantity in Input

References

cve@mitre.org
cve@mitre.org

Frequently asked questions

What is CVE-2026-57062?: CVE-2026-57062 is a low-severity vulnerability in Gnupg, classified under Improper Validation of Specified Quantity in Input. CVSS score: 2.9/10. Published 2026-06-23.
How severe is CVE-2026-57062?: Low severity. CVSS v3 base score is 2.9 out of 10.