CVE-2025-68972 MEDIUM

CVE-2025-68972

Vendor Gnupg
Product GnuPG
Weakness CWE-347
Published December 27, 2025
Last update January 2, 2026

CVSS base score

5.9/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Key dates

02Disclosure timeline

December 27, 2025 CVE published
January 2, 2026 Record updated