There is a heap buffer overflow in libgcrypt due to an incorrect
assumption in the block buffer management code. Just decrypting some
data can overflow a heap buffer with attacker controlled data, no
verification or signature is validated before the vulnerability
occurs.
This probably got dug up on the occasion of Libgcrypt 1.9.0 vulnerability https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
Maybe https://sequoia-pgp.org/blog/2021/01/26/202101-sq-release/ got it on people’s minds?