CVE-2025-30258

Published: 3/19/2025 Last updated: 3/19/2025 Reserved: 3/19/2025

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	2.7	Low	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L

Opam packages affected (1)

0install

Products affected (1)

Product	Vendor	Version
GnuPG	GnuPG	3.2(7k)

References (3)

https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html
https://dev.gnupg.org/T7527
https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158