CVE-2026-41990

Public on 2026-04-23
Modified on 2026-04-25
Description
Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a stat ...\n\nNOTE: https://www.openwall.com/lists/oss-security/2026/04/21/1\nNOTE: https://dev.gnupg.org/T8208\nNOTE: Introduced with: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=1b422366e2b3b5438713418b50f8a0a1abf8d365 (libgcrypt-1.12.0)\nNOTE: Fixed by: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=905e00f046a71e5670517779afaf85a354952832 (libgcrypt-1.12.2)
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.0
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core libgcrypt Not Affected
Amazon Linux 2023 libgcrypt Not Affected
Amazon Linux 2 - Core libgcrypt1.8 Not Affected
Amazon Linux 2 - Core thunderbird Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2026-41990 Mitre: CVE-2026-41990