[Bug 2137220] Re: CVE-2025-68973 and CVE-2025-68972 in Ubuntu
Eduardo Barretto
2137220 at bugs.launchpad.net
Fri Mar 27 12:05:18 UTC 2026
Hi Saurav,
For requests like that, please enter in contact with a sales
representative instead, as your question can get lost in the middle of
other bugs.
Regarding that CVE specifically, please check our CVE Tracker as it should have the information you are looking for:
https://ubuntu.com/security/CVE-2025-68972
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/2137220
Title:
CVE-2025-68973 and CVE-2025-68972 in Ubuntu
Status in gnupg2 package in Ubuntu:
Triaged
Bug description:
Over Christmas (fun, I know) there was a talk about security
vulnerabilities in GnuPG.
See discussion here: https://www.openwall.com/lists/oss-
security/2025/12/28/5
There are related Debian bugs here:
https://security-tracker.debian.org/tracker/CVE-2025-68972
https://security-tracker.debian.org/tracker/CVE-2025-68973
These don't seem to be in the Ubuntu CVE tracker (e.g.
https://ubuntu.com/security/CVE-2025-68973)
Given that apt:
a) Pulls what appear to be ASCII-armored signatures over HTTP (or from possibly untrustworthy mirrors) and
b) Passes them to gpgv to verify running, presumably as root
then CVE-2025-68973 would appear to effectively allow anyone who
controls a user's DNS or mirror to execute code as root on that user's
machine, without user interaction (as of course unattended-upgrades
does all this) or when a user runs apt update.
This seems to affect 24.04, 22.04 etc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2137220/+subscriptions
More information about the foundations-bugs
mailing list