CVE-2015-1606

MEDIUM

GnuPG < 2.1.2 - Use-After-Free via Crafted Keyring File

Title source: llm
STIX 2.1

Description

The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.

References (6)

Core 6
Core References
Third Party Advisory x_refsource_misc
http://www.debian.org/security/2015/dsa-3184
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2015/02/13/14
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2015/02/14/6
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securitytracker.com/id/1031876

Scores

CVSS v3 5.5
EPSS 0.0192
EPSS Percentile 77.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-416
Status published
Products (3)
debian/debian_linux 7.0
debian/debian_linux 8.0
gnupg/gnupg < 2.1.2
Published Nov 20, 2019
Tracked Since Feb 18, 2026