[Bug 2137220] Re: CVE-2025-68973 and CVE-2025-68972 in Ubuntu

Saurav Ghosh 2137220 at bugs.launchpad.net
Fri Mar 27 11:34:50 UTC 2026 

Summary
-------
We are reporting CVE-2025-68972 affecting Ubuntu gnupg-related packages on arm64 in Ubuntu Jammy-based container images.
This is currently blocking customer release (FedRAMP-related delivery gate).
CVE
---
- CVE: CVE-2025-68972
- Severity (scanner): Medium

Affected Environment
--------------------
- Ubuntu release: jammy (22.04)
- Architecture: arm64
- Affected packages:
  ubuntu:jammy:dirmngr
  ubuntu:jammy:gnupg
  ubuntu:jammy:gnupg-l10n
  ubuntu:jammy:gnupg-utils
  ubuntu:jammy:gpg
  ubuntu:jammy:gpg-agent
  ubuntu:jammy:gpg-wks-client
  ubuntu:jammy:gpg-wks-server
  ubuntu:jammy:gpgconf
  ubuntu:jammy:gpgsm
  ubuntu:jammy:gpgv
- Occurrences: 77
- Components impacted: 11
- Source files impacted: 7

Business Impact
---------------
- This CVE currently blocks customer image acceptance/release.
- Compliance impact: FedRAMP customer gating on unresolved vulnerabilities.
- We need Canonical guidance for remediation timeline.
Request
-------
Please provide one of:
1) Fix ETA / USN for jammy arm64 package update, or
2) Official status/rationale (not-affected / deferred / ignored) with technical justification.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/2137220

Title:
  CVE-2025-68973 and CVE-2025-68972 in Ubuntu

Status in gnupg2 package in Ubuntu:
  Triaged

Bug description:
  Over Christmas (fun, I know) there was a talk about security
  vulnerabilities in GnuPG.

  See discussion here: https://www.openwall.com/lists/oss-
  security/2025/12/28/5

  There are related Debian bugs here:

  https://security-tracker.debian.org/tracker/CVE-2025-68972
  https://security-tracker.debian.org/tracker/CVE-2025-68973

  These don't seem to be in the Ubuntu CVE tracker (e.g.
  https://ubuntu.com/security/CVE-2025-68973)

  Given that apt:

  a) Pulls what appear to be ASCII-armored signatures over HTTP (or from possibly untrustworthy mirrors) and
  b) Passes them to gpgv to verify running, presumably as root

  then CVE-2025-68973 would appear to effectively allow anyone who
  controls a user's DNS or mirror to execute code as root on that user's
  machine, without user interaction (as of course unattended-upgrades
  does all this) or when a user runs apt update.

  This seems to affect 24.04, 22.04 etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2137220/+subscriptions

More information about the foundations-bugs mailing list