Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature.

Threat-Mapped Scoring

Score: 1.9

Priority: P3 - Important (Medium)

• S9 – Sabotage of System/App
• S10 – Denial of Service (+0.1 bonus)

EPSS

Score: 0.15103
Percentile: 0.94259

CVSS Scoring

Mapped CWE(s)

• CWE-416 : Use After Free

Affected Products

• cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:13:*:*:*:*:*:*:*
• cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*

← Back to Home