-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in how GnuPG handles compressed OpenPGP packets, particularly in contexts like public key import or detached signature verification. An attacker could craft a small input (e.g., a public key with thousands of signatures) that, when compressed, becomes very small but requires significant resources to decompress and process, leading to a denial of service. The provided patch addresses this by disallowing compressed packets in certain contexts (key import, detached signatures) and by adding stricter checks on packet types and structures within those contexts. The identified functions are those directly involved in parsing and processing these packets, and the patch modifies them to implement these new restrictions. The evidence is taken directly from the diff provided in the marc.info mailing list post, as direct commit access failed.
Ongoing coverage of React2Shell