CVE-2021-40528
5.9 MEDIUMThe ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libr...
Published: 2021-09-06 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.9 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-327
Affected products
| Vendor | Product |
|---|---|
| gnupg | libgcrypt |
Description
The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40528
- [Other]https://eprint.iacr.org/2021/923
- [Other]https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320
- [Other]https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
- [Exploit reference]https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
- [Other]https://security.gentoo.org/glsa/202210-13
- [Other]https://eprint.iacr.org/2021/923
- [Other]https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320
- [Other]https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
- [Exploit reference]https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
- [Other]https://security.gentoo.org/glsa/202210-13
Related CVEs
Same vendor
- CVE-2021-3345 — _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function s... (7.8 HIGH)
Same CWE
- CVE-2026-9261 — Use of weak SSH cryptographic algorithms in Canon EOS Network Setting Tool Version 1.5.0 or earlier (6.8 MEDIUM)
- CVE-2026-50086 — The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authent... (10.0 CRITICAL)
- CVE-2026-40996 — Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation Reques... (4.8 MEDIUM)
- CVE-2025-10237 — During an internal security assessment, a potential vulnerability was discovered in some ThinkPad embedded controller firmware that could... (6.7 MEDIUM)
- CVE-2026-11481 — A vulnerability was determined in yoanbernabeu grepai up to 0.35.0 (2.5 LOW)