PatchSiren cyber security CVE debrief
CVE-2026-41989 gnupg CVE debrief
A medium-severity vulnerability, CVE-2026-41989, was found in Libgcrypt, a cryptographic library. The vulnerability allows for a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt. The CVE record was published on 2026-04-23T05:16:05.750Z and has not been modified since then. This vulnerability has a CVSS score of 6.7 and a severity of MEDIUM. Users of affected Libgcrypt versions should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- gnupg
- Product
- Libgcrypt
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-23
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-23
- Advisory updated
- 2026-07-14
Who should care
Users of Libgcrypt versions prior to 1.12.2, 1.10.4, and 1.11.3 should be aware of this vulnerability and take steps to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who may be impacted by the vulnerability.
Technical summary
The vulnerability, CVE-2026-41989, exists in the Libgcrypt library, specifically in the gcry_pk_decrypt function. It allows for a heap-based buffer overflow and denial of service via crafted ECDH ciphertext. The vulnerability has a CVSS score of 6.7 and a severity of MEDIUM. Affected versions include Libgcrypt versions prior to 1.12.2, 1.10.4, and 1.11.3. Users of affected Libgcrypt versions should be aware of this vulnerability and take steps to mitigate it, including reviewing Libgcrypt configurations and deployments, and tracking exceptions and retesting remediated assets. This vulnerability could potentially lead to a denial of service, and medium priority should be given to patching or mitigating it. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify Libgcrypt usage and apply patches or mitigations as needed.
Defensive priority
Medium priority should be given to patching or mitigating this vulnerability, as it could potentially lead to a denial of service.
Recommended defensive actions
- Inventory and assess Libgcrypt usage in your environment.
- Check for and apply vendor patches or updates to Libgcrypt.
- Implement compensating controls, such as monitoring for suspicious activity.
- Consider upgrading to a non-vulnerable version of Libgcrypt.
- Review and verify Libgcrypt configurations and deployments.
- Track exceptions and retest remediated assets.
- Monitor relevant logs and detection systems for exposed assets.
Evidence notes
The CVE record and NVD entry provide details on the vulnerability, including its CVSS score and affected versions of Libgcrypt. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify Libgcrypt usage and apply patches or mitigations as needed. The vulnerability affects Libgcrypt versions prior to 1.12.2, 1.10.4, and 1.11.3.
Official resources
-
CVE-2026-41989 CVE record
CVE.org
-
CVE-2026-41989 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Broken Link
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e
-
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-23T05:16:05.750Z and has not been modified since then.