UBUNTU-CVE-2026-57062

Source
https://ubuntu.com/security/CVE-2026-57062
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-57062
Upstream
  • CVE-2026-57062
Published
2026-06-23T18:18:00Z
Modified
2026-06-29T18:15:10.272222551Z
Severity
  • 2.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • Ubuntu - low
Summary
[none]
Details

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.

References

Affected packages

Ubuntu:22.04:LTS
gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.20-1ubuntu4
2.2.27-2ubuntu1
2.2.27-3ubuntu1
2.2.27-3ubuntu2
2.2.27-3ubuntu2.1
2.2.27-3ubuntu2.3
2.2.27-3ubuntu2.4
2.2.27-3ubuntu2.5

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_name": "dirmngr",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gnupg",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gnupg-agent",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gnupg-l10n",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gnupg-utils",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gnupg2",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpg",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpg-agent",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpg-wks-client",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpg-wks-server",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpgconf",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpgsm",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpgv",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpgv-static",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpgv-win32",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "gpgv2",
            "binary_version": "2.2.27-3ubuntu2.5"
        },
        {
            "binary_name": "scdaemon",
            "binary_version": "2.2.27-3ubuntu2.5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json"
Ubuntu:24.04:LTS
gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.40-1.1ubuntu1
2.4.4-2ubuntu7
2.4.4-2ubuntu15
2.4.4-2ubuntu16
2.4.4-2ubuntu17
2.4.4-2ubuntu17.2
2.4.4-2ubuntu17.3
2.4.4-2ubuntu17.4

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_name": "dirmngr",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gnupg",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gnupg-agent",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gnupg-l10n",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gnupg-utils",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gnupg2",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpg",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpg-agent",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpg-wks-client",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpg-wks-server",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpgconf",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpgsm",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpgv",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpgv-static",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "gpgv-win32",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "keyboxd",
            "binary_version": "2.4.4-2ubuntu17.4"
        },
        {
            "binary_name": "scdaemon",
            "binary_version": "2.4.4-2ubuntu17.4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json"
Ubuntu:25.10
gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.4.4-2ubuntu23
2.4.4-2ubuntu24
2.4.7-17ubuntu3
2.4.8-2ubuntu1
2.4.8-2ubuntu2
2.4.8-2ubuntu2.1

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_name": "dirmngr",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gnupg",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gnupg-agent",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gnupg-l10n",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gnupg-utils",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gnupg2",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpg",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpg-agent",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpg-wks-client",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpg-wks-server",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpgconf",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpgsm",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpgv",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "gpgv-static",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "scdaemon",
            "binary_version": "2.4.8-2ubuntu2.1"
        },
        {
            "binary_name": "tpm2daemon",
            "binary_version": "2.4.8-2ubuntu2.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json"
Ubuntu:26.04:LTS
gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.4.8-2ubuntu2
2.4.8-4ubuntu1
2.4.8-4ubuntu2
2.4.8-4ubuntu3

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_name": "dirmngr",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gnupg",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gnupg-agent",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gnupg-l10n",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gnupg-utils",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gnupg2",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpg",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpg-agent",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpg-wks-client",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpg-wks-server",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpgconf",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpgsm",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpgv",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "gpgv-static",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "scdaemon",
            "binary_version": "2.4.8-4ubuntu3"
        },
        {
            "binary_name": "tpm2daemon",
            "binary_version": "2.4.8-4ubuntu3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json"
Ubuntu:Pro:16.04:LTS
gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.28-3ubuntu1
2.0.28-3ubuntu2
2.1.11-6ubuntu1
2.1.11-6ubuntu2
2.1.11-6ubuntu2.1
2.1.11-6ubuntu2.1+esm1
2.1.11-6ubuntu2.1+esm2
2.1.11-6ubuntu2.1+esm3

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_name": "dirmngr",
            "binary_version": "2.1.11-6ubuntu2.1+esm3"
        },
        {
            "binary_name": "gnupg-agent",
            "binary_version": "2.1.11-6ubuntu2.1+esm3"
        },
        {
            "binary_name": "gnupg2",
            "binary_version": "2.1.11-6ubuntu2.1+esm3"
        },
        {
            "binary_name": "gpgsm",
            "binary_version": "2.1.11-6ubuntu2.1+esm3"
        },
        {
            "binary_name": "gpgv2",
            "binary_version": "2.1.11-6ubuntu2.1+esm3"
        },
        {
            "binary_name": "scdaemon",
            "binary_version": "2.1.11-6ubuntu2.1+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json"
Ubuntu:Pro:18.04:LTS
gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.1.15-1ubuntu8
2.2.4-1ubuntu1
2.2.4-1ubuntu1.1
2.2.4-1ubuntu1.2
2.2.4-1ubuntu1.3
2.2.4-1ubuntu1.4
2.2.4-1ubuntu1.5
2.2.4-1ubuntu1.6
2.2.4-1ubuntu1.6+esm1
2.2.4-1ubuntu1.6+esm2

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_name": "dirmngr",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gnupg",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gnupg-agent",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gnupg-l10n",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gnupg-utils",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gnupg2",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpg",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpg-agent",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpg-wks-client",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpg-wks-server",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpgconf",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpgsm",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpgv",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpgv-static",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpgv-win32",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "gpgv2",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        },
        {
            "binary_name": "scdaemon",
            "binary_version": "2.2.4-1ubuntu1.6+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json"
Ubuntu:Pro:20.04:LTS
gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.12-1ubuntu3
2.2.17-3ubuntu1
2.2.19-3ubuntu2
2.2.19-3ubuntu2.1
2.2.19-3ubuntu2.2
2.2.19-3ubuntu2.4
2.2.19-3ubuntu2.5
2.2.19-3ubuntu2.5+esm1

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_name": "dirmngr",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gnupg",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gnupg-agent",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gnupg-l10n",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gnupg-utils",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gnupg2",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpg",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpg-agent",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpg-wks-client",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpg-wks-server",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpgconf",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpgsm",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpgv",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpgv-static",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpgv-win32",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "gpgv2",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        },
        {
            "binary_name": "scdaemon",
            "binary_version": "2.2.19-3ubuntu2.5+esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57062.json"