CVE-2025-30258
LOWGnuPG < 2.4.8 - Denial of Service via Crafted Subkey Certificate Import
Title source: llmDescription
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
References (3)
Core 3
Core References
Exploit, Issue Tracking
https://dev.gnupg.org/T7527
Mailing List, Release Notes, Vendor Advisory
https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html
Scores
CVSS v3
2.7
EPSS
0.0017
EPSS Percentile
6.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-754
Status
published
Products (1)
gnupg/gnupg
< 2.4.8
Published
Mar 19, 2025
Tracked Since
Feb 18, 2026