CVE-2025-30258 in GnuPG
Summary
by MITRE • 03/19/2025
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/10/2025
The vulnerability identified as CVE-2025-30258 represents a critical denial-of-service condition within GnuPG version 2.5.4 and earlier, specifically affecting the certificate import and signature verification mechanisms. This flaw manifests when users attempt to import certificates containing deliberately crafted subkey data that either lacks valid back signatures or contains incorrect usage flags. The issue stems from insufficient validation routines within the GnuPG certificate processing pipeline, which fails to properly handle malformed or maliciously constructed certificate components during the import process.
The technical exploitation of this vulnerability occurs through the manipulation of certificate subkey structures where the attacker crafts subkey data that bypasses normal signature verification checks. When GnuPG processes such certificates, it encounters inconsistencies in the back signature validation or usage flag configurations that cause the system to enter an inconsistent state. This improper handling results in a cascading failure where the verification capabilities for other legitimate signing keys become compromised, effectively rendering the entire signature verification system non-functional for specific key combinations. The vulnerability operates at the core of GnuPG's key management and signature verification subsystems, exploiting weaknesses in the certificate validation logic.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the integrity of cryptographic operations within environments relying on GnuPG for secure communications. Organizations using affected GnuPG versions face the risk of complete verification failures across their key infrastructure, making it impossible to validate legitimate signatures from trusted parties. This affects critical security workflows including software distribution verification, email encryption, and document signing processes where GnuPG serves as the primary verification mechanism. The DoS condition can be triggered remotely through certificate imports, making it particularly dangerous in automated systems or environments where certificate management occurs without manual intervention.
Mitigation strategies for this vulnerability require immediate upgrading to GnuPG version 2.5.5 or later, which includes patched validation routines that properly handle malformed certificate data. System administrators should implement strict certificate import policies and conduct thorough verification of all imported certificates before deployment. The vulnerability aligns with CWE-248, which addresses "Uncaught Exception" in software systems, and reflects patterns commonly seen in cryptographic library implementations where insufficient input validation leads to system instability. Organizations should also consider implementing additional monitoring and alerting mechanisms to detect unauthorized certificate imports that might attempt to exploit this vulnerability, aligning with ATT&CK technique T1566.001 for credential dumping and certificate manipulation. The patched version addresses the core validation logic by introducing comprehensive checks for back signature validity and usage flag consistency, preventing the state corruption that leads to verification DoS conditions.