The GnuPG project has released update 2.5.17 to address a critical vulnerability.
The GnuPG project has released GnuPG 2.5.17 , an update that addresses a critical vulnerability in the 2.5.x branch. According to a message on the gnupg-announce mailing list , the issue affects GnuPG versions 2.5.13, 2.5.14, 2.5.15, and 2.5.16, as well as the Windows package Gpg4win 5.0.0 and several of its beta builds. The developers claim that other versions are not vulnerable.
The bug is related to the handling of CMS (S/MIME) EnvelopedData: a specially crafted message with an excessively large "wrapped" session key causes a stack buffer overflow in gpg-agent when processing PKDECRYPT with the --kem=CMS parameter . This bug is easily exploited for denial of service, but the developers warn that memory corruption "with high probability" can also be converted into remote code execution. The vulnerability was introduced by modifying the internal API to use the KEM interface, which is required for FIPS compliance.
A CVE identifier has not yet been assigned for the vulnerability; it is listed as T8044 in the GnuPG tracker . The email states that the vulnerability was discovered by the OpenAI Security Research team: the report was received on January 18, 2026, and patched releases were published on January 27, 2026. An update to the Windows installer was also released simultaneously: Gpg4win users are advised to upgrade to version 5.0.1.
The developers recommend upgrading to GnuPG 2.5.17 as soon as possible (and, if necessary, verifying the signature, for which purpose the .sig file has been published). If an immediate upgrade is not possible, a temporary solution is suggested: removing the gpgsm binary (or gpgsm.exe) to prevent remote exploitation via S/MIME. Release 2.5.17 also includes other security fixes, and general release information is available on the Release-info page .
The GnuPG project has released GnuPG 2.5.17 , an update that addresses a critical vulnerability in the 2.5.x branch. According to a message on the gnupg-announce mailing list , the issue affects GnuPG versions 2.5.13, 2.5.14, 2.5.15, and 2.5.16, as well as the Windows package Gpg4win 5.0.0 and several of its beta builds. The developers claim that other versions are not vulnerable.
The bug is related to the handling of CMS (S/MIME) EnvelopedData: a specially crafted message with an excessively large "wrapped" session key causes a stack buffer overflow in gpg-agent when processing PKDECRYPT with the --kem=CMS parameter . This bug is easily exploited for denial of service, but the developers warn that memory corruption "with high probability" can also be converted into remote code execution. The vulnerability was introduced by modifying the internal API to use the KEM interface, which is required for FIPS compliance.
A CVE identifier has not yet been assigned for the vulnerability; it is listed as T8044 in the GnuPG tracker . The email states that the vulnerability was discovered by the OpenAI Security Research team: the report was received on January 18, 2026, and patched releases were published on January 27, 2026. An update to the Windows installer was also released simultaneously: Gpg4win users are advised to upgrade to version 5.0.1.
The developers recommend upgrading to GnuPG 2.5.17 as soon as possible (and, if necessary, verifying the signature, for which purpose the .sig file has been published). If an immediate upgrade is not possible, a temporary solution is suggested: removing the gpgsm binary (or gpgsm.exe) to prevent remote exploitation via S/MIME. Release 2.5.17 also includes other security fixes, and general release information is available on the Release-info page .
