CVE-2025-30258: 
GNU Privacy Guard vulnerability analysis and mitigation

In GnuPG before version 2.5.5, a vulnerability was discovered that could lead to a verification denial of service (DoS) attack. The vulnerability, identified as CVE-2025-30258, affects systems where a user imports a certificate with certain crafted subkey data that lacks a valid backsig or has incorrect usage flags. This vulnerability was discovered in February 2025 and was patched in March 2025 (GnuPG Announce, NVD).

The vulnerability stems from an issue where if a malicious certificate is imported with crafted subkey data lacking valid backsigs or containing incorrect usage flags, it prevents the verification of signatures made from certain other signing keys. The vulnerability has been assigned a CVSS v3.1 score of 2.7 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L. The issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) (NVD).

When exploited, this vulnerability causes a denial of service condition specifically affecting signature verification capabilities. Users lose the ability to verify signatures made from certain signing keys after importing a malicious certificate. This impacts the system's ability to verify the authenticity of signed files and communications (GnuPG Bug).

The vulnerability has been fixed in GnuPG version 2.5.5. The fix involves changes to how GnuPG handles key lookups and verification processes. Users are advised to upgrade to version 2.5.5 or later to mitigate this vulnerability. The patch specifically addresses the verification DoS issue caused by malicious subkeys in the keyring (GnuPG Commit, GnuPG Announce).