CVE-2025-30258

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30258

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-30258.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-30258

Related

Published

2025-03-19T20:15:20Z

Modified

2025-03-21T20:49:17.936976Z

Summary

[none]

Details

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

References

Affected packages

Debian:11 / gnupg2

Package

Name: gnupg2
Purl: pkg:deb/debian/gnupg2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.27-2

2.2.27-2+deb11u1

2.2.27-2+deb11u2

2.2.27-3

2.2.34-1

2.2.35-1

2.2.35-2

2.2.35-3

2.2.39-1

2.2.40-1

2.2.40-1+hurd.1

2.2.40-1.1

2.2.40-1.1+hurd.1

2.2.40-1.1+loong64

2.2.40-2

2.2.40-3

2.2.43-1

2.2.43-2

2.2.43-3

2.2.43-4

2.2.43-5

2.2.43-6

2.2.43-7

2.2.43-8

2.2.44-1

2.2.45-1

2.2.45-2

2.2.45-3

2.2.46~pre1-1

2.2.46-1

2.2.46-2

2.2.46-3

2.2.46-4

2.2.46-5

2.3.1-1

2.4.3-2

2.4.4-1

2.4.4-2

2.4.4-3

2.4.4-4

2.4.5-1

2.4.5-2

2.4.5-3

2.4.6-1

2.4.7-1

2.4.7-2

2.4.7-3

2.4.7-4

2.4.7-5

2.4.7-6

2.4.7-7

2.4.7-8

2.4.7-9

2.4.7-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / gnupg2

Package

Name: gnupg2
Purl: pkg:deb/debian/gnupg2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.40-1.1

2.2.40-1.1+hurd.1

2.2.40-1.1+loong64

2.2.40-2

2.2.40-3

2.2.43-1

2.2.43-2

2.2.43-3

2.2.43-4

2.2.43-5

2.2.43-6

2.2.43-7

2.2.43-8

2.2.44-1

2.2.45-1

2.2.45-2

2.2.45-3

2.2.46~pre1-1

2.2.46-1

2.2.46-2

2.2.46-3

2.2.46-4

2.2.46-5

2.3.1-1

2.4.3-2

2.4.4-1

2.4.4-2

2.4.4-3

2.4.4-4

2.4.5-1

2.4.5-2

2.4.5-3

2.4.6-1

2.4.7-1

2.4.7-2

2.4.7-3

2.4.7-4

2.4.7-5

2.4.7-6

2.4.7-7

2.4.7-8

2.4.7-9

2.4.7-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / gnupg2

Package

Name: gnupg2
Purl: pkg:deb/debian/gnupg2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.46-5

Affected versions

2.*

2.2.40-1.1

2.2.40-1.1+hurd.1

2.2.40-1.1+loong64

2.2.40-2

2.2.40-3

2.2.43-1

2.2.43-2

2.2.43-3

2.2.43-4

2.2.43-5

2.2.43-6

2.2.43-7

2.2.43-8

2.2.44-1

2.2.45-1

2.2.45-2

2.2.45-3

2.2.46~pre1-1

2.2.46-1

2.2.46-2

2.2.46-3

2.2.46-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}