CVE-2025-30258

Publication date 19 March 2025

Last updated 30 May 2025


Ubuntu priority

Cvss 3 Severity Score

2.7 · Low

Score breakdown

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a “verification DoS.”

Status

Package Ubuntu Release Status
gnupg2 25.04 plucky
Fixed 2.4.4-2ubuntu23
24.10 oracular
Fixed 2.4.4-2ubuntu18.2
24.04 LTS noble
Fixed 2.4.4-2ubuntu17.2
22.04 LTS jammy
Fixed 2.2.27-3ubuntu2.3
20.04 LTS focal
Fixed 2.2.19-3ubuntu2.4
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation

Severity score breakdown

Parameter Value
Base score 2.7 · Low
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Scope Changed
Confidentiality None
Integrity impact None
Availability impact Low
Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L

References

Related Ubuntu Security Notices (USN)

Other references