CVE-2025-68972
Signature Bypass in GnuPG via Malformed Signed Message Line
Publication date: 2025-12-27
Last updated on: 2025-12-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnupg | gnupg | 2.4.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GnuPG through version 2.4.8 involves a flaw where if a signed message contains a form feed character (\f) at the end of a plaintext line, an attacker can create a modified message that appends additional text after the signed content. Despite this modification, the signature verification process incorrectly succeeds, although it prints an "invalid armor" warning during verification. This happens because \f is used as a marker to indicate truncation of a long plaintext line.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to alter a signed message by appending extra content after the originally signed material without causing the signature verification to fail. This means the integrity of signed messages can be compromised, potentially leading to acceptance of tampered messages as authentic, which can undermine trust and security in communications.