Home

Description

Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

PUBLISHED Reserved 2026-04-23 | Published 2026-04-23 | Updated 2026-04-23 | Assigner mitre




MEDIUM: 4.0CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-787 Out-of-bounds Write

Product status

Default status
unaffected

1.12.0 (semver) before 1.12.2
affected

References

lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html

www.openwall.com/lists/oss-security/2026/04/21/1

dev.gnupg.org/T8208

cve.org (CVE-2026-41990)

nvd.nist.gov (CVE-2026-41990)

Download JSON