CVE-2025-68972

Published: 12/27/2025 Last updated: 1/2/2026 Reserved: 12/27/2025

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.9	Medium	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Opam packages affected (1)

0install

Products affected (1)

Product	Vendor	Version
GnuPG	GnuPG	n/a

References (8)

https://gpg.fail/formfeed
https://news.ycombinator.com/item?id=46404339
https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
https://gpg.fail/formfeed
https://gpg.fail/formfeed
https://news.ycombinator.com/item?id=46404339
https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
https://gpg.fail/formfeed