A parsing quirk in GnuPG's S/MIME implementation can silently downgrade the authentication strength of encrypted messages, the GnuPG maintainers warned on June 28, 2026. The vulnerability, tracked as CVE-2026-57062, allows an attacker to craft a specially formatted CMS (Cryptographic Message Syntax) object that uses AES-GCM with an integrity-check tag as short as 4 bytes, instead of the standard 16 bytes. While rated low severity because it requires a malicious or compromised sender, the bug underscores the danger of lenient cryptographic parsing—and Windows users who rely on Gpg4win should patch immediately.
GnuPG versions 2.5.20 and earlier are affected. The flaw resides in gpgsm, the dedicated tool for S/MIME (Secure/Multipurpose Internet Mail Extensions) operations. It does not affect the OpenPGP counterpart, gpg. This distinction is critical for Windows environments, where Gpg4win bundles both components and many email clients invoke gpgsm transparently for signed or encrypted messages.
Understanding AES-GCM and CMS
AES-GCM (Galois/Counter Mode) is an authenticated encryption algorithm that simultaneously provides confidentiality and integrity. It produces a ciphertext and an authentication tag, typically 16 bytes (128 bits) in length. The tag ensures that any tampering with the encrypted content is cryptographically detectable. In the CMS standard (RFC 5652), when AES-GCM is used, the tag length is conveyed inside the AuthEnvelopedData structure as an explicit parameter.
The National Institute of Standards and Technology (NIST) specifies four permitted tag lengths in SP 800-38D: 128, 120, 112, 104, or 96 bits. The strongest, 128-bit, is universally recommended. Shorter tags reduce the security margin against forgery attacks. For a 4-byte (32-bit) tag, an attacker needs to attempt, on average, 2^31 trials to forge a valid tag—a task that modern hardware can accomplish in seconds or minutes. A 16-byte tag pushes that complexity to 2^127 trials, well beyond brute-force capabilities.
The Vulnerability: A Four‑Byte Seal of (Dis)approval
When gpgsm processes an incoming S/MIME message, it parses the CMS AuthEnvelopedData content and extracts the authentication tag according to the stated length. CVE-2026-57062 arises because gpgsm fails to reject a tag length of 4 bytes. An attacker who can control the CMS structure—either as the sender or by modifying a legitimate message in transit—can specify a 4-byte tag and supply a corresponding trivial checksum. The receiver's gpgsm will treat the message as authentic, even though the integrity protection is essentially nonexistent.
This flaw does not allow an attacker to decrypt the content; the AES-GCM ciphertext remains protected. However, the loss of integrity enables targeted forgeries: a third party could inject malicious data into a CMS stream, or a corrupt sender could sign a message with a promise that the recipient's software will not verify properly. The practical exploit requires that the victim's gpgsm processes a message crafted by the attacker—a scenario most plausible in phishing campaigns where encrypted attachments are used to bypass scanners.
The Common Vulnerability Scoring System (CVSS) assessment yields a base score of 3.5, reflecting low attack complexity, no privilege requirements, and no user interaction beyond opening an S/MIME object. The integrity impact is rated as "low" because the attacker cannot directly alter previously encrypted data; they can only present a new forged message that appears to originate from a trusted source.
Who Is Affected?
Windows users who employ GnuPG through the Gpg4win distribution are the primary audience for this alert. Gpg4win integrates gpgsm alongside gpg, Kleopatra certificate manager, and plug-ins for email clients such as Microsoft Outlook (via GpgOL) and Mozilla Thunderbird (via Enigmail). Any configuration that processes S/MIME encrypted emails using AES-GCM is vulnerable if the installed gpgsm version is 2.5.20 or older.
Affected versions:
- GnuPG 2.5.0 through 2.5.20 (gpgsm)
- Gpg4win 4.2.0 and earlier, as they bundle the vulnerable gpgsm
Organizations that rely on S/MIME for regulatory compliance (e.g., healthcare, finance) should treat this as a high-priority patch, despite the official severity rating, because the integrity of their email-based workflows depends on it. In enterprise environments, automated decryption gateways or email filters that use GnuPG could also be impacted, potentially allowing bad actors to inject malware-laden attachments with a valid-looking signature.
Mitigation: Patch Now
The GnuPG team promptly released version 2.5.21, which enforces a minimum tag length of 12 bytes (96 bits) as required by NIST. This change aligns with cryptographic best practices and completely mitigates CVE-2026-57062. Windows users should:
- Upgrade Gpg4win to the latest build that includes GnuPG 2.5.21 or later.
- Ensure that any custom installations of GnuPG are updated directly from the official site.
- Audit email clients and middleware to confirm that gpgsm is not being called from an older, manual installation.
For environments where immediate patching is impossible, a temporary workaround is to disable AES-GCM in gpgsm's configuration. This can be done by adding 'disable-cipher-algo AES256-GCM' (or similar) to the gpg-agent or gpgsm configuration file, forcing the use of alternative ciphers. However, this may break interoperability with correspondents who only offer AES-GCM.
The Bigger Parsing Lesson
CVE-2026-57062 is a textbook example of what happens when security-critical software fails to validate protocol parameters rigorously. The obsolete maxim "be conservative in what you send, be liberal in what you accept" has been repeatedly blamed for countless vulnerabilities, from XML signature wrapping attacks to ASN.1 parser bugs. In the realm of cryptography, any deviation from a stated algorithm specification must be rejected outright, not silently accommodated.
Modern cryptographic libraries like Bouncy Castle and OpenSSL have learned this lesson the hard way: they now enforce strict limits on tag lengths, nonce sizes, and key formats. GnuPG, an older and historically more permissive codebase, still carries technical debt from its early design choices. This CVE serves as a remidner that even low-severity issues can erode trust silently—a message might display a green checkmark or a "verified" badge in an email client while being entirely unauthenticated.
The ASN.1 parsing layer used by CMS is notoriously tricky. CMS encodes data using BER/DER, where fields such as the tag length are expressed as explicit integers. A robust parser must check the integer against an allowlist of permitted values. In gpgsm, this check was missing for AES-GCM. The fix adds a simple conditional that raises an error if the tag length is less than 12.
What Windows Users Should Do
Beyond the immediate patch, Windows adopters of GnuPG should adopt a defense-in-depth posture:
- Verify signatures separately. Even if an email client shows a valid signature, use Kleopatra or command-line gpgsm to manually inspect the signature's cryptographic strength if the message's origin is suspicious.
- Prefer OpenPGP over S/MIME when possible. OpenPGP (using gpg) was not affected by this CVE. While not always suitable for enterprise directory- based key distribution, it avoids the CMS-specific attack surface.
- Monitor GnuPG mailing lists. The project's security announcements are the fastest way to learn about similar issues. Subscribing at https://lists.gnupg.org ensures timely alerts.
- Consider automated update mechanisms. For managed endpoints, use software deployment tools to roll out Gpg4win updates uniformly. The official Gpg4win MSI packages support silent installation.
Enterprise administrators should also evaluate the S/MIME decoding pathway of any email security appliances that incorporate GnuPG. A simple test—sending a CMS message with a deliberately short AES-GCM tag—can reveal vulnerable gateways.
Looking Ahead
Low-severity vulnerabilities like CVE-2026-57062 rarely make headlines, but they are the cracks that, when compounded, undermine entire cryptographic infrastructures. The GnuPG project's transparency and rapid response are commendable, yet retroactive patching cannot undo the years during which this parsing leniency went unnoticed. Proactive measures—fuzz testing, formal verification of ASN.1 parsers, and adopting memory-safe languages—will increasingly become necessary as the software supply chain comes under more sophisticated attacks.
For Windows users, the update to Gpg4win is a small, one-time action that closes a subtle but real gap in their email security armor. As email remains the most common vector for cyberattacks, every layer of protection counts. Stay patched, stay skeptical, and never assume that a green checkmark tells the whole story.