CVE-2025-30258

Publication date 19 March 2025

Last updated 30 May 2025

Ubuntu priority

Cvss 3 Severity Score

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a “verification DoS.”

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg2	25.04 plucky	Fixed 2.4.4-2ubuntu23
	24.10 oracular	Fixed 2.4.4-2ubuntu18.2
	24.04 LTS noble	Fixed 2.4.4-2ubuntu17.2
	22.04 LTS jammy	Fixed 2.2.27-3ubuntu2.3
	20.04 LTS focal	Fixed 2.2.19-3ubuntu2.4
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg2	Upstream: https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=48978ccb4e20866472ef18436a32744350a65158 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d3d7713c1799754160260cb350309dd183b397f5 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=25d748c3dfc0102f9e54afea59ff26b3969bd8c1 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=da0164efc7f32013bc24d97b9afa9f8d67c318bb Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=1e581619bf5315957f2be06b3b1a7f513304c126 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4be25979a6b3e2a79d7c9667b07db8b09fb046e9

Package

Patch details

gnupg2

Severity score breakdown

Parameter	Value
Base score	2.7 · Low
Attack vector	Local
Attack complexity	High
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	None
Integrity impact	None
Availability impact	Low
Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L

References

Related Ubuntu Security Notices (USN)

USN-7412-1
GnuPG vulnerability
3 April 2025

CVE-2025-30258

Cvss 3 Severity Score

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references