🟠 High | Source: Microsoft Security Response Center
A vulnerability in GnuPG’s gpgsm tool (versions through 2.5.20) allows a 4-byte AES-GCM integrity check value (ICV) to be accepted where 12 bytes is required by the CMS standard. This weakens authenticated encryption, potentially allowing tampered or forged encrypted messages to be processed without detection. The issue is related to a prior vulnerability, CVE-2026-34182, suggesting a pattern of weaknesses in GnuPG’s CMS parsing logic.
Security Architect’s Take: Audit any Azure workloads or pipelines that rely on GnuPG (gpgsm) for CMS-format encrypted message handling — particularly S/MIME signing or encryption workflows. Prioritise upgrading GnuPG beyond 2.5.20 once a patched release is available, and consider enforcing strict ICV length validation at the application layer in the interim.