5.9

CVE-2025-68972

EPSS 0.01%
Veröffentlicht 27.12.2025 22:52:30
Zuletzt bearbeitet 09.01.2026 20:08:47
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gnupg ≫ Gnupg SwEdition- Version <= 2.4.8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.003

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.7	1	3.6	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
cve@mitre.org	5.9	1.4	4	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://gpg.fail/formfeed

Product

https://news.ycombinator.com/item?id=46404339

Issue Tracking

https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-68972

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68972

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68972

EUVD