GnuPG Fixes Critical KEM Stack Buffer Overflow

GnuPG on Jan. 27, 2026 released version 2.5.17 to fix a critical stack buffer overflow in gpg-agent affecting versions 2.5.13–2.5.16 and related Gpg4win releases. The flaw, reported by OpenAI Security Research on Jan. 18, 2026, is triggered by crafted CMS/S-MIME EnvelopedData with an oversized wrapped session key and can lead to DoS or likely remote code execution. Users must update immediately.