🟠 High  |  Source: Microsoft Security Response Center


A vulnerability in GnuPG’s gpgsm tool (versions through 2.5.20) allows a 4-byte AES-GCM integrity check value (ICV) to be accepted where 12 bytes is required by the CMS standard. This weakens authenticated encryption, potentially allowing tampered or forged encrypted messages to be processed without detection. The issue is related to a prior vulnerability, CVE-2026-34182, suggesting a pattern of weaknesses in GnuPG’s CMS parsing logic.

Security Architect’s Take: Audit any Azure workloads or pipelines that rely on GnuPG (gpgsm) for CMS-format encrypted message handling — particularly S/MIME signing or encryption workflows. Prioritise upgrading GnuPG beyond 2.5.20 once a patched release is available, and consider enforcing strict ICV length validation at the application layer in the interim.

Original advisory: CVE-2026-57062 CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.