GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared as if it has all bits set , which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service via a crafted OpenPGP message.