CVE-2026-41989

Publication date 23 April 2026

Last updated 27 May 2026

Ubuntu priority

Why this priority?

Cvss 3 Severity Score

Score breakdown

Description

Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libgcrypt20	26.04 LTS resolute	Fixed 1.12.0-2ubuntu0.1
	25.10 questing	Fixed 1.11.0-7ubuntu0.1
	24.04 LTS noble	Fixed 1.10.3-2ubuntu0.1
	22.04 LTS jammy	Fixed 1.9.4-3ubuntu3.2
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libgcrypt20	Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2d3d732c9bf87cc10729f69678dd9e6862f99fa3

Severity score breakdown

Parameter	Value
Base score	6.7 · Medium
Attack vector	Local
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-8319-1
Libgcrypt vulnerabilities
27 May 2026

Other references

Access our resources on patching vulnerabilities