Libgcrypt update released to fix local side-channel attack Reference: Advisory

Reference: Advisory #2017-001
CVE ID: cve-2017-7526
Version: 1.0
Affected software: Gnupg Libgcrypt versions : 1.7.7; 1.7.3; 1.6.6; 1.6.1; 1.6; 1.5.6; 1.5.4; 1.6.3; 1.6.2; 1.5.3; 1.5.2; 1.5.1; 1.5.0; 1.4.6; 1.4.5; 1.4.4; 1.4.3; 1.4.0
Type: Cryptography, side-channel attack


An attacker could exploit this vulnerability to obtain sensitive information that may aid in further attacks


Libgcrypt is a library of cryptographic building blocks, it is used for cryptographic tools and originally based on GnuPG.
This library is vulnerable to a side-channel attack allowing full key recovery for RSA-1024. The same attack is believed to work on RSA-2048 with moderately more computation.
Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used.
Note that RSA-1024 and RSA-1280 are widely used in some applications, such as DNSSEC .

Recommended action

The developers of GnuPG and Libgcrypt have released updates to remediate this vulnerability. Please patch your systems to Libgcrypt 1.7.8.

• Ubuntu:
• Debian:
• Fedora:[email protected]
• Redhat:
• Suse 11:
• Suse 12:

Affected software that is also using this library is amongst others :
• Gpg4Win :