External risk intelligence

GnuPG Agent Stack Overflow Vulnerability Allows Denial of Service or Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-24881

GnuPG is primarily a command-line or client-side library used for local encryption, decryption, and signing of files or emails. While it may process network-sourced data like S/MIME messages, it is generally integrated into local mail clients or automated backend processes rather than functioning as an internet-facing service, gateway, or edge component, making public internet exposure uncommon.

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in GnuPG, a widely used tool for encryption and digital signing. A specially crafted message can trigger a buffer overflow, potentially leading to denial of service or even remote code execution. While GnuPG is typically used locally, its integration into email clients or backend systems means this vulnerability could have broader implications if processed messages originate from external sources.

  • Crafted messages can crash or compromise systems.
  • Confirms relevance and potential exposure in connected systems.
  • Prioritize understanding GnuPG's role in your environment.

Attack Path

How an attacker could exploit the issue

An attacker can target GnuPG by sending a specially crafted S/MIME message. When the `gpg-agent` processes this message, it attempts to decrypt a session key within a CMS structure. If the session key is oversized, it triggers a stack-based buffer overflow, potentially leading to memory corruption and remote code execution.

  • No authentication required to trigger.
  • Oversized session key in CMS EnvelopedData.
  • Memory corruption, potential code execution.

Live Threat

Current exploitation, exposure, and threat context

A specially crafted S/MIME message containing an oversized session key could trigger a stack-based buffer overflow in gpg-agent. This vulnerability may lead to a denial of service or, in some cases, memory corruption that could allow for remote code execution.

  • GPG-related data could be compromised.
  • Malicious S/MIME messages may be sent.
  • System service disruption or compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Ownership of this vulnerability lies with teams managing GnuPG or GPG4Win deployments, potentially including application, platform, or infrastructure owners. The first practical step is to inventory all GnuPG instances, determine their exposure and criticality, and then assign an accountable owner to plan remediation based on risk.

  • Identify GnuPG deployments and owners.
  • Verify reachability and business impact.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is GnuPG and how is it used?

GnuPG is an essential software suite for public key cryptography, commonly used to encrypt, decrypt, and digitally sign files or emails. It acts as a standard engine for secure data exchange, ensuring message confidentiality and integrity. Many email clients and automated backend systems rely on GnuPG to handle sensitive S/MIME messages and other cryptographic tasks, making it a foundational component for protecting private communications and authenticating digital identity across various platforms.

How does CVE-2026-24881 cause a buffer overflow?

This vulnerability is classified as CWE-121, a stack-based buffer overflow. It occurs when the GnuPG agent incorrectly processes a specially crafted CMS, or S/MIME, message. Specifically, when the software encounters an oversized wrapped session key, it exceeds the memory limits allocated on the stack. This memory error can destabilize the program, leading to a crash—which results in a denial of service—or potential memory corruption that an attacker might leverage to run unauthorized code.

Does any S/MIME message trigger this CVE?

No, standard S/MIME messages do not automatically trigger this issue. The vulnerability is specifically tied to the processing of a crafted CMS EnvelopedData structure containing an oversized session key. If a message does not contain this malformed, oversized key, the specific overflow path in the gpg-agent during PKDECRYPT--kem=CMS handling is not activated. The flaw is rooted in the agent's inability to safely handle this unique, malicious input rather than all encrypted traffic.

Do I need to worry if my GnuPG isn't internet-facing?

According to Halo Surface Signal, GnuPG is primarily a local library, and its use as an internet-facing service is uncommon, making high-scale public exposure unlikely. However, you should still evaluate your environment. Because GnuPG is often integrated into mail clients or automated backend processes that ingest external data, a message could reach your system through normal communication channels, even if the software itself is not directly exposed to the public internet.

What is the first step to address this advisory?

The most effective first step is to inventory all systems running GnuPG or GPG4Win to identify where the software is deployed. Once you have a list of instances, assess the criticality of these systems and determine how they handle external messages. This process will help you understand your specific risk and enable you to assign an accountable owner to plan and coordinate the necessary software updates for all affected installations within your organization.

References