S/MIME Stack Overflow: OpenAI Researchers Uncover “Highly Likely” RCE in GnuPG

The GnuPG Project has inaugurated a vital maintenance release, GnuPG 2.5.17, engineered to rectify a critical security deficit within the 2.5.x development branch. According to a formal dispatch via the gnupg-announce mailing list, the flaw afflicts versions 2.5.13 through 2.5.16, as well as the Gpg4win 5.0.0 installer and its antecedent beta iterations. The developers have affirmed that all other versions remain impervious to this specific threat.

The anomaly resides within the processing of CMS (S/MIME) EnvelopedData. A meticulously engineered message containing an inordinately large “wrapped” session key precipitates a stack buffer overflow within the gpg-agent utility during the execution of a PKDECRYPT operation with the --kem=CMS parameter. While such a malfunction readily facilitates a Denial of Service (DoS), the developers caution that the resulting memory corruption is “highly likely” to be weaponized for Remote Code Execution (RCE). This vulnerability was inadvertently introduced during an architectural revision of the internal API to accommodate the KEM (Key Encapsulation Mechanism) interface necessitated by FIPS compliance.

Although a formal CVE identifier is currently pending, the flaw is tracked within the GnuPG repository as T8044. The disclosure is attributed to the OpenAI Security Research team, who submitted their findings on January 18, 2026; a remediated release followed on January 27. Concurrently, the Windows ecosystem has been fortified with the release of Gpg4win 5.0.1, which users are urged to adopt immediately.

The development collective advocates for an expeditious transition to GnuPG 2.5.17. For environments where an immediate upgrade is unfeasible, an interim mitigation involves the excision of the gpgsm (or gpgsm.exe) binary, effectively neutralizing the remote trigger vector via S/MIME. Beyond this primary fix, version 2.5.17 incorporates various auxiliary security refinements, the details of which are consolidated in the official release documentation.