CVE-2006-6235
published 2006-12-07CVE-2006-6235: A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via…
PriorityP339critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
5.67%
92.0th percentile
A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gnupg2 | < gnupg2 2.0.0-5.2 (bookworm) | gnupg2 2.0.0-5.2 (bookworm) |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gnu | privacy_guard | — | — |
| gpg4win | gpg4win | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | fedora_core | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
vendor_ubuntu6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GnuPG vulnerability
vendor_ubuntu·2006-12-07
CVE-2006-6235 GnuPG vulnerability
Title: GnuPG vulnerability
Summary: GnuPG vulnerability
Tavis Ormandy discovered that gnupg was incorrectly using the stack. If
a user were tricked into processing a specially crafted message, an
attacker could execute arbitrary code with the user's privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Ubuntu
GnuPG2 vulnerabilities
vendor_ubuntu·2006-12-07·CVSS 6.8
CVE-2006-6169 [MEDIUM] GnuPG2 vulnerabilities
Title: GnuPG2 vulnerabilities
Summary: GnuPG2 vulnerabilities
USN-389-1 and USN-393-1 fixed vulnerabilities in gnupg. This update
provides the corresponding updates for gnupg2.
Original advisory details:
A buffer overflow was discovered in GnuPG. By tricking a user into
running gpg interactively on a specially crafted message, an attacker
could execute arbitrary code with the user's privileges. This
vulnerability is not exposed when running gpg in batch mode.
(CVE-2006-6169)
Tavis Ormandy discovered that gnupg was incorrectly using the stack.
If a user were tricked into processing a specially crafted message, an
attacker could execute arbitrary code with the user's privileges.
(CVE-2006-6235)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary ch
Red Hat
security flaw
vendor_redhat·2006-12-06·CVSS 10.0
CVE-2006-6235 [CRITICAL] security flaw
security flaw
A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-6235: gnupg2 - A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2....
vendor_debian·2006·CVSS 10.0
CVE-2006-6235 [CRITICAL] CVE-2006-6235: gnupg2 - A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2....
A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
Scope: local
bookworm: resolved (fixed in 2.0.0-5.2)
bullseye: resolved (fixed in 2.0.0-5.2)
forky: resolved (fixed in 2.0.0-5.2)
sid: resolved (fixed in 2.0.0-5.2)
trixie: resolved (fixed in 2.0.0-5.2)
GHSA
GHSA-fxx3-6m2r-fwh5: A "stack overwrite" vulnerability in GnuPG (gpg) 1
ghsa_unreviewed·2022-05-03
CVE-2006-6235 [HIGH] GHSA-fxx3-6m2r-fwh5: A "stack overwrite" vulnerability in GnuPG (gpg) 1
A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
OSV
CVE-2006-6235: A "stack overwrite" vulnerability in GnuPG (gpg) 1
osv·2006-12-07·CVSS 10.0
CVE-2006-6235 [CRITICAL] CVE-2006-6235: A "stack overwrite" vulnerability in GnuPG (gpg) 1
A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-6235 security flaw
bugzilla·2018-08-16·CVSS 10.0
CVE-2006-6235 [CRITICAL] CVE-2006-6235 security flaw
CVE-2006-6235 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
---
Statement:
Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Bugzilla
CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability
bugzilla·2006-12-07·CVSS 10.0
CVE-2006-6235 [CRITICAL] CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability
CVE-2006-6235: gnupg2 2.0.1-2
- CVE-2006-6235 (bug #218821)
Older releases don't include the gpg2 (and friends) binaries, so they aren't
(shouldn't!) be affected by this.
---
Seems so indeed.
Bugzilla
CVE-2006-6235 GnuPG references local variable after function returns
bugzilla·2006-12-05·CVSS 10.0
CVE-2006-6235 [CRITICAL] CVE-2006-6235 GnuPG references local variable after function returns
CVE-2006-6235 GnuPG references local variable after function returns
Description of problem:
Reference to local variable dfx of function decrypt_data() is used by the
functions decode_filter() and mdc_decode_filter() after it is terminated,
making it possible to overwrite the stack by changing its contents, which can
potentially lead to arbitrairy code execution (when program flow is altered
by overwriting the return address stored on the stack)
Version-Release number of selected component (if applicable):
RHEL-2.1, RHEL-3, RHEL-4, RHEL-5, FC-5, FC-6
How reproducible:
No reproducer.
Discussion:
Created attachment 142874
Proposed fix (for 1.4.5)
---
The description is wrong. It is actually not possible to overwrite stack with
reference to the structure, but the opposite -- modify
Dragos
OT Security Advisories
blogs_dragos·2025-09-17·CVSS 7.5
CVE-2024-432057 [HIGH] OT Security Advisories
## OT Security Advisories
## These advisories cover OT/ICS vulnerabilities discovered and disclosed by Dragos as an authorized CVE Numbering Authority (CNA).
Threat Level
Name
CVE ID
Vulnerability Type
Affects
Limited Threat
Maples Systems/Weintek HMI Panel and EBPro Software Vulnerabilities
CVE-2024-432057
CVE-2024-7710
Incorrect Permission Assignment for Critical Resource
Integrity check fails to identify out-of-band logic changes
Maple Systems and Weintek Brand HMI panels: iP Series: All versions, all models
iE Series: All versions, all models
eMT Series: All versions, all models
XE Series: All versions, all models
mTV Series: All versions, all models
Maple Systems and Weintek Brand HMI panels: iP Series: All versions, all models
iE Series: All versions, all models
eMT Ser
ftp://patches.sgi.com/support/free/security/advisories/20061201-01-P.aschttp://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.htmlhttp://lists.suse.com/archive/suse-security-announce/2006-Dec/0004.htmlhttp://secunia.com/advisories/23245http://secunia.com/advisories/23250http://secunia.com/advisories/23255http://secunia.com/advisories/23259http://secunia.com/advisories/23269http://secunia.com/advisories/23284http://secunia.com/advisories/23290http://secunia.com/advisories/23299http://secunia.com/advisories/23303http://secunia.com/advisories/23329http://secunia.com/advisories/23335http://secunia.com/advisories/23513http://secunia.com/advisories/24047http://security.gentoo.org/glsa/glsa-200612-03.xmlhttp://securitytracker.com/id?1017349http://support.avaya.com/elmodocs2/security/ASA-2007-047.htmhttp://www.debian.org/security/2006/dsa-1231http://www.kb.cert.org/vuls/id/427009http://www.mandriva.com/security/advisories?name=MDKSA-2006:228http://www.novell.com/linux/security/advisories/2006_28_sr.htmlhttp://www.openpkg.com/security/advisories/OpenPKG-SA-2006.037.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0754.htmlhttp://www.securityfocus.com/archive/1/453664/100/0/threadedhttp://www.securityfocus.com/archive/1/453723/100/0/threadedhttp://www.securityfocus.com/bid/21462http://www.trustix.org/errata/2006/0070http://www.ubuntu.com/usn/usn-393-1http://www.ubuntu.com/usn/usn-393-2http://www.vupen.com/english/advisories/2006/4881https://exchange.xforce.ibmcloud.com/vulnerabilities/30711https://issues.rpath.com/browse/RPL-835https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11245ftp://patches.sgi.com/support/free/security/advisories/20061201-01-P.aschttp://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.htmlhttp://lists.suse.com/archive/suse-security-announce/2006-Dec/0004.htmlhttp://secunia.com/advisories/23245http://secunia.com/advisories/23250http://secunia.com/advisories/23255http://secunia.com/advisories/23259http://secunia.com/advisories/23269http://secunia.com/advisories/23284http://secunia.com/advisories/23290http://secunia.com/advisories/23299http://secunia.com/advisories/23303http://secunia.com/advisories/23329http://secunia.com/advisories/23335http://secunia.com/advisories/23513http://secunia.com/advisories/24047http://security.gentoo.org/glsa/glsa-200612-03.xmlhttp://securitytracker.com/id?1017349http://support.avaya.com/elmodocs2/security/ASA-2007-047.htmhttp://www.debian.org/security/2006/dsa-1231http://www.kb.cert.org/vuls/id/427009http://www.mandriva.com/security/advisories?name=MDKSA-2006:228http://www.novell.com/linux/security/advisories/2006_28_sr.htmlhttp://www.openpkg.com/security/advisories/OpenPKG-SA-2006.037.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0754.htmlhttp://www.securityfocus.com/archive/1/453664/100/0/threadedhttp://www.securityfocus.com/archive/1/453723/100/0/threadedhttp://www.securityfocus.com/bid/21462http://www.trustix.org/errata/2006/0070http://www.ubuntu.com/usn/usn-393-1http://www.ubuntu.com/usn/usn-393-2http://www.vupen.com/english/advisories/2006/4881https://exchange.xforce.ibmcloud.com/vulnerabilities/30711https://issues.rpath.com/browse/RPL-835https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11245
2006-12-07
Published