CVE-2021-40528 - Vulnerability Details - OpenCVE

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Gnupg	Libgcrypt
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
libgcrypt-0:1.8.5-7.el8_6	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:5311	2022-06-30T00:00:00Z

References

Link	Providers
https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13
https://eprint.iacr.org/2021/923
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320
https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
https://nvd.nist.gov/vuln/detail/CVE-2021-40528
https://security.gentoo.org/glsa/202210-13
https://www.cve.org/CVERecord?id=CVE-2021-40528

History

Mon, 09 Jun 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-09-06T00:00:00.000Z

Updated: 2025-06-09T15:13:03.906Z

Reserved: 2021-09-06T00:00:00.000Z

Link: CVE-2021-40528

Vulnrichment

Updated: 2024-08-04T02:44:10.845Z

NVD

Status : Modified

Published: 2021-09-06T19:15:07.587

Modified: 2025-06-09T16:15:33.000

Link: CVE-2021-40528

Redhat

Severity : Moderate

Publid Date: 2021-07-20T00:00:00Z

Links: CVE-2021-40528 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-40528", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-06-09T15:13:03.906Z", "dateReserved": "2021-09-06T00:00:00.000Z", "datePublished": "2021-09-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-31T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://eprint.iacr.org/2021/923"}, {"url": "https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1"}, {"url": "https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2"}, {"url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320"}, {"name": "GLSA-202210-13", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-13"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:44:10.845Z"}, "title": "CVE Program Container", "references": [{"url": "https://eprint.iacr.org/2021/923", "tags": ["x_transferred"]}, {"url": "https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1", "tags": ["x_transferred"]}, {"url": "https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2", "tags": ["x_transferred"]}, {"url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320", "tags": ["x_transferred"]}, {"name": "GLSA-202210-13", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-13"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-327", "lang": "en", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-09T15:12:20.359985Z", "id": "CVE-2021-40528", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T15:13:03.906Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://eprint.iacr.org/2021/923", "tags": ["x_transferred"]}, {"url": "https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1", "tags": ["x_transferred"]}, {"url": "https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2", "tags": ["x_transferred"]}, {"url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202210-13", "name": "GLSA-202210-13", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:44:10.845Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-40528", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-09T15:12:20.359985Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T15:12:40.237Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://eprint.iacr.org/2021/923"}, {"url": "https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1"}, {"url": "https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2"}, {"url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320"}, {"url": "https://security.gentoo.org/glsa/202210-13", "name": "GLSA-202210-13", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-31T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2021-40528", "state": "PUBLISHED", "dateUpdated": "2025-06-09T15:13:03.906Z", "dateReserved": "2021-09-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2021-09-06T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8F745E7-4B6F-404D-997D-0B27ED8DB2D6", "versionEndExcluding": "1.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP."}, {"lang": "es", "value": "Una implementaci\u00f3n de ElGamal en Libgcrypt versiones anteriores a 1.9.4, permite una recuperaci\u00f3n de texto plano porque, durante la interacci\u00f3n entre dos bibliotecas criptogr\u00e1ficas, una determinada combinaci\u00f3n peligrosa del primo definido por la clave p\u00fablica del receptor, el generador definido por la clave p\u00fablica del receptor y los exponentes ef\u00edmeros del emisor puede conllevar a un ataque de configuraci\u00f3n cruzada contra OpenPGP."}], "id": "CVE-2021-40528", "lastModified": "2025-06-09T16:15:33.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-09-06T19:15:07.587", "references": [{"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://eprint.iacr.org/2021/923"}, {"source": "cve@mitre.org", "url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://eprint.iacr.org/2021/923"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-13"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-327"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5311", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "libgcrypt-0:1.8.5-7.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-06-30T00:00:00Z"}], "bugzilla": {"description": "libgcrypt: ElGamal implementation allows plaintext recovery", "id": "2002816", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2002816"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "details": ["The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.", "A flaw was found in libgcrypt's ElGamal implementation, where it allows plain text recovery. During the interaction between two cryptographic libraries, a certain combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2021-40528", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libgcrypt", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libgcrypt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "libgcrypt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-07-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-40528\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-40528\nhttps://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13\nhttps://eprint.iacr.org/2021/923\nhttps://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1\nhttps://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2"], "statement": "Please note that there was a mixup between this CVE and CVE-2021-33560. At this time, both CVEs should be assumed to refer to the same issue. More information will be provided in the near future. See the first link in External References for more information.", "threat_severity": "Moderate"}