CVE-2025-68972_CVE-2025-68972

5.9 / 10

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Description

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Basic Information

ID CVE-2025-68972

Source mitre

Published Dec 27, 2025 at 22:52

Modified Dec 27, 2025 at 23:13

Affected Product

Vendor GnuPG

Product GnuPG

Affected Versions GnuPG GnuPG 0

CWE Classification

CWE-347

References

{
    "lastseen": "",
    "description": "In GnuPG through 2.4.8, if a signed message has \\f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an \"invalid armor\" message is printed during verification). This is related to use of \\f as a marker to denote truncation of a long plaintext line.",
    "published": "2025-12-27T22:52:30.957Z",
    "modified": "2025-12-27T23:13:16.695Z",
    "type": "cve",
    "title": "CVE-2025-68972",
    "source": "mitre",
    "references": "https://gpg.fail/formfeed\nhttps://news.ycombinator.com/item?id=46404339",
    "id": "CVE-2025-68972",
    "bulletinFamily": "",
    "cwe": [
        "CWE-347"
    ],
    "cvelist": null,
    "sourceData": "GnuPG GnuPG 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GnuPG",
    "version": "0",
    "vendor": "GnuPG",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}