Main Vulnerability Database Vulnerabilities #VU120610

#VU120610 Numeric truncation error in GnuPG - CVE-2025-68972

Published: December 29, 2025

Vulnerability identifier: #VU120610

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:U/U:Green

CVE-ID: CVE-2025-68972

CWE-ID: CWE-197

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GnuPG

Software vendor:
GNU

Description

The vulnerability allows a remote attacker to spoof contents of signed messages.

The vulnerability exists due to software truncates plaintext lines to 20000 characters minus padding when verifying signed data. A remote attacker can inject arbitrary payload into signed messages that still could be verified, allowing message spoofing.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://seclists.org/oss-sec/2025/q4/311
https://gpg.fail/formfeed

#VU120610 Numeric truncation error in GnuPG - CVE-2025-68972

Description

Remediation

External links

Please verify you're human