CVE-2026-57062 GnuPG gpgsm AES-GCM CMS Bug: Low Severity, Big Parsing Lesson

CVE-2026-57062 is a low-severity GnuPG flaw disclosed in late June 2026 in which gpgsm, the S/MIME component of GnuPG through version 2.5.20, accepts a four-byte AES-GCM integrity-check length in CMS data where twelve bytes are expected. That sounds like the sort of cryptographic footnote most administrators would rather leave to library maintainers. It is not a mass-exploitation story, and the available scoring reflects that. But it is a useful warning about a class of failures that keeps recurring: secure algorithms do not stay secure when parsers are too forgiving about the envelopes that carry them.

Windows Security Center shows an S/MIME scan result rejecting a message due to authentication tag length mismatch.The Bug Is Small Because the Boundary Is Small​

The immediate defect is narrow. In CMS, or Cryptographic Message Syntax, GnuPG’s gpgsm handles S/MIME-style encrypted and signed material rather than the OpenPGP messages many users associate with gpg. The vulnerable path concerns AES-GCM, an authenticated-encryption mode whose security depends not only on the cipher but on strict treatment of its parameters.
The issue, as recorded by vulnerability trackers and Microsoft’s Security Update Guide entry, is that gpgsm accepts an aes-ICVlen value of four bytes when the CMS format expects twelve. ICV here means integrity check value, often discussed in AES-GCM contexts as the authentication tag. Reduce the tag length, or allow unexpected encodings of it, and the implementation starts drifting away from the security model operators think they are relying on.
That does not automatically make this a practical remote compromise. The CVSS vector assigned to the CVE is local attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact. In plain English: it is a real parsing error, but not a push-button internet worm.
The more interesting story is why a “low” bug deserves attention from WindowsForum readers at all. GnuPG is not merely a Linux command-line relic; it sits behind mail workflows, developer tooling, package verification habits, backup scripts, and cross-platform encryption utilities. A subtle parser tolerance in that stack can matter precisely because nobody thinks about it until a signed or encrypted object fails in a way that policy did not anticipate.

AES-GCM Did Not Fail; The Format Contract Did​

AES-GCM remains widely used because it combines encryption and authentication in a single mode, giving software a way to detect tampering while decrypting content. But authenticated encryption is not pixie dust sprinkled over bytes. It is a contract among the algorithm, the nonce or IV, the associated data, the tag, and the protocol format that describes all of those pieces.
CVE-2026-57062 is therefore not best understood as “AES-GCM is broken.” It is better understood as “a consumer of AES-GCM accepted a CMS shape it should have rejected.” That difference matters because the remediation mindset is different. Replacing the cipher would miss the point; making the parser less permissive addresses it.
This is the kind of defect that frustrates security teams because it lives between layers. A cryptographic primitive may be sound. The library API may expose enough knobs to be flexible. The message format may specify what values are acceptable. Then one implementation quietly accepts a value outside the intended profile, and the system’s actual behavior becomes something no single layer’s documentation fully describes.
The relationship to CVE-2026-34182 reinforces that this is not an isolated theme. The earlier CVE has been discussed in connection with CMS processing and AES-GCM handling across cryptographic software, with researchers focusing on how encoded algorithm parameters can be abused when implementations are too liberal. CVE-2026-57062 looks like GnuPG’s narrower piece of that broader parsing-and-authentication story.

Gpgsm Is the Part Many Users Forget They Installed​

For many Windows users, “GnuPG” means Gpg4win, Kleopatra, command-line gpg, and the familiar ritual of verifying a download or encrypting a file. But GnuPG is a suite, not a single binary. gpgsm is the component that implements S/MIME and CMS workflows, using X.509 certificates rather than the OpenPGP web-of-trust model.
That matters for exposure. A developer who only uses gpg --verify on OpenPGP signatures is not automatically exercising the vulnerable CMS path. A mail workflow that decrypts S/MIME objects through GnuPG, a script that processes CMS envelopes, or an enterprise tool that wraps GnuPG for certificate-based encryption is a better place to look.
The problem for administrators is that gpgsm can be present even when nobody consciously designed a “GnuPG S/MIME architecture.” Security software often accretes. A package installed for one workflow brings along supporting utilities, a GUI frontend invokes engines in the background, and years later a vulnerability scanner reports a CVE against a component the desktop team never documents in its service catalog.
Windows complicates this in a familiar way. Many Windows endpoints do not receive GnuPG through a single operating-system package manager. They may have Gpg4win, standalone GnuPG installers, bundled copies inside developer tools, MSYS2 or Cygwin environments, WSL distributions, Git-adjacent tooling, or private application directories. “Patch GnuPG” is a simple sentence hiding a messy inventory problem.

The Severity Score Is Low, But the Signal Is Not​

The low CVSS score is defensible. The attack complexity is high, exploitation is not considered automatable in the available SSVC-style assessment, and the technical impact is partial. A successful attack depends on conditions beyond the attacker’s control, which means the adversary may need environmental knowledge, a prepared target path, or a man-in-the-middle position in a relevant workflow.
That should prevent panic. It should not invite indifference. Cryptographic vulnerabilities with low severity often represent failure modes that only become meaningful inside a larger chain. A parser that accepts an invalid authentication-tag length may be harmless in one deployment and material in another where messages are relayed, transformed, logged, retried, or treated as policy decisions.
The key phrase is integrity impact. The public scoring does not claim confidentiality loss or service outage. It does, however, acknowledge that the vulnerable behavior can affect integrity under constrained conditions. In S/MIME and CMS environments, integrity is not decorative; it is the property that tells downstream software whether the object should be trusted as untampered.
Administrators should also resist the comforting habit of ranking vulnerabilities only by whether exploit code is circulating. Parser bugs in cryptographic formats often age strangely. They begin as academic or edge-case findings, then reappear when someone discovers a weird gateway, mail filter, archival system, or compatibility shim that turns the edge case into a reachable path.

The Timeline Makes This a 2.5-Series Problem With 2.4-Series Shadows​

GnuPG 2.5.20 was announced on May 13, 2026, with two notable gpgsm features and several bug fixes. Among those changes was GCM encryption support in gpgsm, while decryption support had existed since version 2.3.2. The same release announcement also noted that the older 2.4 series was nearing end-of-life, pushing users toward the newer branch.
The CVE description covers GnuPG through 2.5.20. Debian’s tracker shows its source package status as vulnerable across several stable and testing releases at the time of its entry, while unstable had a fixed package at 2.4.9-5. That detail is important: a project’s upstream version line and a distribution’s patched package version do not always map cleanly onto “newer equals safe.”
This is where enterprise patch management has to be more precise than a banner headline. If you maintain Debian, Ubuntu, Fedora, SUSE, Arch, Windows, WSL, and container images, your question is not simply “Do we have 2.5.20?” It is “Does our vendor’s build include the fix for the CMS AES-GCM parameter validation issue?”
Windows administrators face an additional wrinkle because GnuPG’s own announcement for 2.5.20 included a Windows installer and noted that a new Gpg4win release was in planning, with the simple installer usable over Gpg4win 5.0.2 for those affected by fixed bugs. That does not by itself answer whether every Windows packaging route has shipped a remediation for CVE-2026-57062. It does tell us that Windows copies of GnuPG are first-class enough to deserve inventory, not an afterthought.

Microsoft’s Listing Is a Reminder That Open Source Risk Is Now Windows Risk​

At first glance, it may seem odd that a GnuPG issue appears in Microsoft’s Security Update Guide. GnuPG is not a Microsoft cryptographic library, and the vulnerable component is not Windows’ native S/MIME stack. But MSRC has increasingly become a place where Windows ecosystem risk is surfaced even when the root project is open source or third-party.
That is the modern endpoint reality. Windows machines are no longer just Windows, Office, Edge, and a few line-of-business apps. They are developer workstations with package managers, containers, Python and Node environments, Git tooling, WSL distributions, VPN clients, admin utilities, mail add-ins, and security agents. Open-source cryptographic components move through that landscape like plumbing.
For WindowsForum’s audience, the practical lesson is not that Microsoft is responsible for fixing GnuPG. It is that the Windows attack surface is partly defined by what organizations install on Windows to do Unix-like, developer-like, and cross-platform things. A vulnerability in gpgsm can be relevant to a Windows shop even if the affected source package is tracked most visibly by Debian.
That also changes the patch conversation. Windows Update will not necessarily save you from every third-party cryptographic parser on a workstation. Defender for Endpoint, vulnerability management platforms, package inventories, winget records, software deployment tools, and old-fashioned file searches may all be needed to find where GnuPG actually lives.

Compatibility Is the Enemy That Keeps Winning​

Security engineers love strict parsers in theory and often inherit permissive parsers in practice. The reason is rarely incompetence. It is usually compatibility. Real-world encrypted messages arrive from old clients, buggy gateways, unusual certificates, custom tooling, and software that interpreted a standard just differently enough to work for years.
Over time, parsers learn to forgive. They accept optional fields in unexpected places, tolerate malformed lengths, normalize weird encodings, and continue processing when a stricter implementation would throw an error. Each concession may be defensible in isolation. Together, they create a dangerous ambiguity: the format specification says one thing, the ecosystem permits another.
CVE-2026-57062 sits exactly in that tension. If aes-ICVlen is supposed to be twelve bytes for this CMS AES-GCM usage, accepting four is not a harmless nicety. It tells senders and attackers alike that the recipient’s implementation can be negotiated into a weaker or at least nonconforming interpretation.
Cryptographic code is especially unforgiving of this kind of “be liberal in what you accept” philosophy. That old internet maxim may help text protocols survive messy networks, but it is a poor fit for authenticated encryption. In cryptography, invalid structure should usually die early and loudly.

The Attack Prerequisites Should Shape, Not Stop, The Response​

The user-facing warning attached to the CVE stresses that a successful attack depends on conditions beyond the attacker’s control. That language is significant. It places the issue outside the “send packet, get shell” category and inside the murkier world of exploit setup, environmental dependence, and workflow manipulation.
A man-in-the-middle position is one plausible example of the kind of condition that could matter in CMS-related attacks. So is prior knowledge of how a target processes encrypted messages, which tools are in the chain, and whether malformed objects are retried, forwarded, logged, or accepted by a downstream system. None of this makes exploitation easy. It makes exploitation situational.
Situational bugs are common in enterprise security. They are also the bugs most likely to be mismanaged. A scanner finds them, a dashboard labels them low, and the issue gets buried beneath remote-code-execution fire drills. Six months later, an audit discovers that the vulnerable component sits inside an automated evidence-handling or secure-mail workflow where integrity assumptions are central.
The right response is proportional. Do not halt operations over CVE-2026-57062. Do not wave it away because the score begins with a two. Find the affected installations, understand whether gpgsm is used, and patch or mitigate on a schedule that reflects how much trust your organization places in CMS/S/MIME processing.

Developers Should Treat This as a Test Case for Format Abuse​

For developers, the most useful part of this CVE is not the exact byte count. It is the reminder that cryptographic APIs are often called correctly while formats are validated incorrectly. A project can choose AES-GCM, pass tests, interoperate with common peers, and still fail on adversarially crafted metadata.
That is why fuzzing and negative test cases matter in cryptographic message handling. It is not enough to test that valid CMS messages decrypt. Implementations need tests proving that invalid tag lengths, unexpected algorithm identifiers, absent parameters, duplicate fields, and malformed encodings are rejected. The success path is the easy part; the failure path is where security policy lives.
This also applies to wrapper applications. If your product shells out to gpgsm, consumes its status output, or treats a successful decrypt as a trust decision, you need to know how it reacts to nonstandard CMS inputs. Does the wrapper distinguish parse failure from authentication failure? Does it continue processing partial output? Does it log enough for incident review without leaking sensitive content?
The safer design pattern is to make trust transitions explicit. A decrypted object should not become “trusted” merely because bytes came out the other side. The application should confirm that the cryptographic operation completed as expected, with the expected algorithm profile and validation semantics, before handing content to business logic.

Sysadmins Need Inventory More Than Drama​

The first operational step is mundane: determine where GnuPG is installed. On Windows, that means checking Gpg4win deployments, standalone GnuPG installs, portable tool directories, developer environments, WSL distributions, CI runners, and any application that bundles its own copy. On Linux servers and containers, it means checking distribution package status rather than assuming upstream version numbers tell the full story.
The second step is narrower: determine whether gpgsm is present and used. Many systems have GnuPG for OpenPGP verification only. Others use S/MIME, CMS, certificate-based encryption, or automated secure-message workflows. The latter group deserves faster attention because the affected parser sits closer to the organization’s trust boundary.
The third step is to follow vendor packages rather than improvising crypto upgrades. Debian unstable had a fixed source package listed as 2.4.9-5, while other Debian releases were still marked vulnerable in the tracker snapshot. Other distributions and Windows packages may carry fixes under different version labels. In cryptographic tooling, mixing ad hoc binaries into managed fleets can solve today’s CVE while creating tomorrow’s audit mess.
Finally, administrators should watch for backports. Stable distributions often patch a vulnerability without jumping to the newest upstream release. A scanner that only compares version strings may report a false positive after a vendor backport, or miss a vulnerable bundled copy outside the package manager. The cure is not blind trust in the scanner; it is correlating package metadata, vendor advisories, and file inventory.

The Windows Angle Is Mostly About Hidden Copies​

Most Windows users will not knowingly process CMS AES-GCM messages with gpgsm today. That is why the vulnerability is unlikely to become a mainstream consumer scare. But Windows power users and IT shops are exactly the audience that accumulates hidden copies of security tools.
Gpg4win remains the obvious place to check, especially in organizations that use Kleopatra or certificate-based mail workflows. Developer workstations are another. A Windows laptop that builds Linux packages, verifies artifacts, signs releases, or runs WSL may contain several GnuPG versions across native Windows and Linux userlands.
Security teams should also examine automation. Build agents, release-signing boxes, secure file-transfer scripts, and archival systems often run longer than ordinary desktop images and receive less routine software hygiene. If one of those systems processes CMS content from outside the trust boundary, a low-severity parser issue becomes more relevant than it looks on a generic dashboard.
The deeper Windows lesson is that third-party crypto should be treated as infrastructure. If an organization would inventory OpenSSL, Java runtimes, or embedded Chromium, it should inventory GnuPG too. The fact that a tool is invoked from a command line does not make it operationally invisible.

The Four-Byte Detail Exposes a Bigger Governance Problem​

Security teams often say they want “risk-based vulnerability management,” but CVE-2026-57062 shows how hard that is in practice. The CVSS score is low. The affected component is specialized. The exploitation conditions are constrained. Yet the flaw sits in software whose purpose is to make trust decisions.
A purely score-driven program may delay it indefinitely. A panic-driven program may overreact and disrupt workflows that are not exposed. A mature program asks sharper questions: Where do we use CMS? Do we rely on gpgsm for inbound untrusted objects? Are any automated decisions based on successful decryption or validation? Can we patch through normal maintenance without breaking certificate workflows?
This is the kind of vulnerability that rewards asset context. On a developer’s spare VM, it may be noise. On a secure-mail gateway, it may deserve near-term remediation. On a build-signing system that never touches CMS, it may be irrelevant despite the installed package. The same CVE can have three different priorities in the same organization.
That is not a failure of CVSS. It is a reminder that CVSS is a starting point, not a verdict. Vulnerability management becomes security only when it incorporates how software is actually used.

The Practical Reading of CVE-2026-57062 Is Narrow But Actionable​

The short version is not “drop everything.” It is “do not let a low score prevent a clean fix.” CVE-2026-57062 is bounded, specialized, and unlikely to affect users who never touch CMS/S/MIME paths, but it belongs to a class of parser errors that administrators should not normalize.
  • GnuPG installations through 2.5.20 should be considered potentially affected unless a vendor has explicitly shipped the relevant fix or backport.
  • The vulnerable code path is in gpgsm, so systems using S/MIME or CMS deserve more attention than systems using only ordinary OpenPGP verification.
  • Windows environments should check Gpg4win, standalone GnuPG installers, WSL distributions, developer toolchains, and bundled application copies rather than relying on Windows Update alone.
  • The public severity is low because exploitation is constrained, high-complexity, and not considered readily automatable, not because the parser behavior is desirable.
  • The safest operational response is to patch through trusted vendor channels and confirm whether scanners understand backported fixes.
CVE-2026-57062 will probably not be remembered as a defining cryptographic vulnerability of 2026. Its value is more prosaic and more useful: it shows how a four-byte tolerance in a message parser can undermine the clean assumptions administrators make about encrypted workflows. The next round of crypto hardening will not be won only by choosing modern algorithms; it will be won by making implementations reject the malformed, ambiguous, and almost-compatible inputs that attackers depend on.

References​

  1. Primary source: MSRC
    Published: 2026-07-01T01:40:05-07:00
  2. Related coverage: gnupg.org
  3. Related coverage: securityvulnerability.io
  4. Related coverage: lists.gnupg.org
  5. Related coverage: sentinelone.com
  6. Related coverage: tempmail.ninja
 

Back
Top