Vulnerability - CVE-2025-30258

›

›vulnerability›CVE-2025-30258

Name

CVE-2025-30258

Source

NVD ( link)Debian ( link)

Description

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

CWEs

Published Date

Mar 19, 2025

Updated Date

Jun 17, 2026

Workaround

-

Advisories

https://dev.gnupg.org/T7527Exploit

https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158Issue Tracking

https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.htmlMailing List

Analysis#

Affected Component

Analysis

Vulnerability Ratings#

2.7

CVSSv31

4.7

CVSSv31

NaN

other

Others affected components#

Name

Project

Project Version

Version

Status

buildroot

master

1.4.23

Exploitable

buildroot

master

2.5.20

Not Affected

openwrt

master

1.4.23-r5

Exploitable

openwrt

master

2.5.20-r1

Not Affected

openwrt

openwrt-25.12

1.4.23-r5

Exploitable

openwrt

openwrt-25.12

2.4.8-r1

Not Affected

yocto

kirkstone

2.3.7

Patched

yocto

master

2.5.17

Not Affected

yocto

scarthgap

2.4.9

Not Affected

Resolved with patches#

gnupg (yocto:kirkstone)

#

Title

Author

Resolve

1

gpg: Fix a verification DoS due to a malicious subkey in the

Yogita Urade <yogita.urade@windriver.com>

CVE-2025-30258

2

gpg: Fix double free of internal data.

Werner Koch <wk@gnupg.org>

CVE-2025-30258

3

gpg: Remove a signature check function wrapper.

Werner Koch <wk@gnupg.org>

CVE-2025-30258

4

gpg: Fix regression for the recent malicious subkey DoS fix.

Werner Koch <wk@gnupg.org>

CVE-2025-30258

5

gpg: Lookup key for merging/inserting only by primary key.

Werner Koch <wk@gnupg.org>

CVE-2025-30258