In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)
Weakness
The product performs the same operation on a resource two or more times, when the operation should only be applied once.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gnupg | Gnupg | * | 2.4.8 (including) |
| Red Hat Enterprise Linux 10 | RedHat | gnupg2-0:2.4.5-3.el10_1 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | gnupg2-0:2.4.5-2.el10_0.1 | * |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | gnupg2-0:2.0.22-5.el7_9.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | gnupg2-0:2.2.20-4.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | gnupg2-0:2.2.9-1.el8_2.1 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | gnupg2-0:2.2.20-2.el8_4.1 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | gnupg2-0:2.2.20-2.el8_4.1 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | gnupg2-0:2.2.20-3.el8_6.1 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | gnupg2-0:2.2.20-3.el8_6.1 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | gnupg2-0:2.2.20-3.el8_6.1 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | gnupg2-0:2.2.20-3.el8_8.1 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | gnupg2-0:2.2.20-3.el8_8.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | gnupg2-0:2.3.3-5.el9_7 | * |
| Red Hat Enterprise Linux 9 | RedHat | gnupg2-0:2.3.3-5.el9_7 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | gnupg2-0:2.3.3-2.el9_0.1 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | gnupg2-0:2.3.3-2.el9_2.1 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | gnupg2-0:2.3.3-4.el9_4.1 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | gnupg2-0:2.3.3-4.el9_6.1 | * |
| Compliance Operator 1 | RedHat | compliance/openshift-compliance-content-rhel8:sha256:20e46e06977b41e0023503744d1a6b369cc625b71ca2c0499638e07642e8f497 | * |
| Compliance Operator 1 | RedHat | compliance/openshift-compliance-must-gather-rhel8:sha256:616471362a3255231b1b2f5434aa1fdde078570543b1ccee23a74272cff3f2b5 | * |
| Compliance Operator 1 | RedHat | compliance/openshift-compliance-openscap-rhel8:sha256:05c4770c79444de006d6ee9fa05c678e2bc26bda6aa3306c5149e80e741c07b3 | * |
| Compliance Operator 1 | RedHat | compliance/openshift-compliance-rhel8-operator:sha256:68ba04c2a97a1dbe3780ed8c6b86af3079584211e3d466f00dcd7a509281f371 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-central-db-rhel8:sha256:189126988989d9ea557c1356386ee5a7443d5cb01717e0d974f0603a2b659130 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-collector-rhel8:sha256:97949783533ac35c4c48c3bdfcb5306853779e82b101e52fdc2f95923d4d071f | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-main-rhel8:sha256:2b5ba43a096f738c776e4fc95ac5afabbe1b80826c7350f85f0ca5987f412406 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-rhel8-operator:sha256:074255ff15e39c96ccb0dac16df03a8f3066afa4f2f6d81588e11d0cff5f7dd6 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-roxctl-rhel8:sha256:dcfa45646e951547da04021f3f35d7262a95f565366a1c5ebbf12532f783f686 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-scanner-db-rhel8:sha256:b60ce2debac0fa9a6f0a125775df71c175aa1a0d25489cc63e1caf98464fb6b3 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-scanner-rhel8:sha256:c7a63ddb83702fc56250aaf0bf090db1038d7d29eb6025b6e9bc717e3cb3ced4 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-scanner-v4-db-rhel8:sha256:1b160193dd2e7612a7cd95e2f3e2863fae06c51b29afe8e67d57fa80ec703884 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.8 | RedHat | advanced-cluster-security/rhacs-scanner-v4-rhel8:sha256:c69235da18dcccc515f64615d6e2313423520cff6c3d32b87b2c3e1f1069ffa3 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-central-db-rhel8:sha256:cf5beedfa9139034d92f170115321be8f442b152628f1c91841a1be1cadfda33 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-collector-rhel8:sha256:cfb6a722aa6ede9218d9d7a28c7aae1b1455bc0ba5a41ba488e95ee504cccd70 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-main-rhel8:sha256:e87ce042d9afb90c643de99cfaa98314230a2d9a01ad1230cd0596413991f4f5 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-rhel8-operator:sha256:6f0060cfb71c9ee2788f2bcebd1d9aa40e337c10921a4c631c0119c80721b539 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-roxctl-rhel8:sha256:0f27626c8a671458174b6a3dc08268ec13f1b1ce297ca26b085a5799971470d6 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-db-rhel8:sha256:e2d7323de0313fc7e498791d2294fe4c46448638753349002dfa0e16580f9435 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-rhel8:sha256:249ae5abf72f255ec0b9152df39a5b2bd270df420bb585ca390e5c7dbdc4b5af | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-v4-db-rhel8:sha256:a75bba630478e2466c371b78ffce02ad116cc872bbe78624cd3438e45f47f93e | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-v4-rhel8:sha256:a3cfe3a06fadbe73d8a12e84beb504c9204e34f52af459c30d4e72a2b0a411e3 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-central-db-rhel8:sha256:fdc9b12b9ee45dd85e277f21f5219c8900b7c0a684090937a9a4cf69a3d22061 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-collector-rhel8:sha256:709d85ccdd2c9ddde6c152a44356800cca972d655dc310f7fdf4307c52f34a73 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-main-rhel8:sha256:896bba113fa4ba5eab3bc944d58f7492b55945e2802845edee9362b0682ab419 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-rhel8-operator:sha256:2d7d654755857e5a164827f2bbc022d1c23f7229b4164faa5c61e852c1706800 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-roxctl-rhel8:sha256:d09d170ce80d0e59bb67f64a31b26fef702d3d5d73b50d0475f92268f9d6f094 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-db-rhel8:sha256:552b628dee91632aeae32b09add80d1293ff6210585ec1469e1181660ee626e9 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-rhel8:sha256:effcbf4f105173a4725b450706db3297b77bcfd4a9d7b0b9f7b2f8a88436a50c | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-v4-db-rhel8:sha256:b4232e6ba47868e601e14b219730d272ca953065c7bd998ed5266238d13eb71a | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-scanner-v4-rhel8:sha256:b88a4d77f26b9f230d8abbc06aa0a3a1cde6df903a6ef797ee18efb81e2674ac | * |
| Red Hat Ceph Storage 7 | RedHat | rhceph/rhceph-7-rhel9:sha256:72a6d9deb9325e43639230b2681640b15bab946025810258796f95315febb7f4 | * |
| Red Hat Ceph Storage 8 | RedHat | rhceph/rhceph-8-rhel9:sha256:97a60239048123bc963d7c9ac2ad85caa6a254759e44c15f173ca12ea51e4719 | * |
| Red Hat Discovery 2 | RedHat | discovery/discovery-server-rhel9:sha256:d4d6cd6b1a84587ee851c4f76b47c1e6bf9f597f4a476c34e4a257cd1a860448 | * |
| Red Hat Discovery 2 | RedHat | discovery/discovery-ui-rhel9:sha256:26bb49a8e2e695d61192f04eb0db63efa8210bba20ea22b60e4e22d519d8b9e6 | * |
| Red Hat Insights proxy 1.5 | RedHat | insights-proxy/insights-proxy-container-rhel9:sha256:ab86ba36e62e8aec5ba48e9e0076b1f8086c48157c85990be0e2ce3e03273016 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/cds-rhel9:sha256:83e8b356eb4697a81ff8c6764dc976862800f4c78122a606173340a6e105a4fe | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/haproxy-rhel9:sha256:409a64405669fd11ad8700356243762a3507430f9bba4100bb92765d4482b7e5 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/installer-rhel9:sha256:48cf7cf48dfadb17f9357bf1894a5d0393551a893faa8b0ea0e11fe1ffed497f | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/rhua-rhel9:sha256:df709663b581b740006c6ea4b297978932874eade1563c3952e0594e926aa5f8 | * |
| Gnupg | Ubuntu | esm-infra-legacy/trusty | * |
| Gnupg | Ubuntu | esm-infra/xenial | * |
| Gnupg | Ubuntu | upstream | * |
| Gnupg2 | Ubuntu | devel | * |
| Gnupg2 | Ubuntu | esm-infra/bionic | * |
| Gnupg2 | Ubuntu | esm-infra/focal | * |
| Gnupg2 | Ubuntu | esm-infra/xenial | * |
| Gnupg2 | Ubuntu | jammy | * |
| Gnupg2 | Ubuntu | noble | * |
| Gnupg2 | Ubuntu | plucky | * |
| Gnupg2 | Ubuntu | questing | * |
| Gnupg2 | Ubuntu | upstream | * |
References
- https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306
- https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
- https://github.com/gpg/gnupg/compare/gnupg-2.2.50...gnupg-2.2.51
- https://gpg.fail/memcpy
- https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
- https://news.ycombinator.com/item?id=46403200
- https://www.openwall.com/lists/oss-security/2025/12/28/5
- http://www.openwall.com/lists/oss-security/2025/12/29/11
- https://lists.debian.org/debian-lts-announce/2026/01/msg00008.html
- https://gpg.fail/memcpy