CVE details: https://www.cve.org/CVERecord?id=CVE-2025-30258

Download the latest GnuPG installer exe from here: https://gnupg.org/ftp/gcrypt/binary/ gnupg-w32-2.5.5_20250307.exe

Running the installer will delete the contents of C:\Program Files (x86)\GnuPG and will create C:\Program Files\GnuPG

This causes Kleopatra to complain with an error like

Kleopatra could not determine gnupghome

I fixed it by deleting the x86 GnuPG dir and linking to the new directory using an Admin powershell window

New-Item -ItemType Junction -Path "C:\Program Files (x86)\GnuPG" -Target "C:\Program Files\GnuPG"

Now, I'm on the latest GPG and Kleopatra recognizes it is using the latest version of GnuPG

❯ Get-Command gpg | Format-List

Name            : gpg.exe
CommandType     : Application
Definition      : C:\Program Files (x86)\Gpg4win\..\Gnupg\Bin\gpg.exe
Extension       : .exe
Path            : C:\Program Files (x86)\Gpg4win\..\Gnupg\Bin\gpg.exe
FileVersionInfo : File:             C:\Program Files (x86)\Gpg4win\..\Gnupg\Bin\gpg.exe
                  InternalName:     gpg
                  OriginalFilename: gpg.exe
                  FileVersion:      2.5.5 (5b8c5f719) built on <anon> at <none>
                  FileDescription:  GnuPG’s OpenPGP tool
                  Product:          GNU Privacy Guard (GnuPG)
                  ProductVersion:   2.5.5
                  Debug:            False
                  Patched:          False
                  PreRelease:       False
                  PrivateBuild:     False
                  SpecialBuild:     False
                  Language:         English (United States)

It looks like there's also a Gpg4Win beta that might have been easier but it just says "Uses GnuPG 2.5" which might not mean 2.5.5 idk

https://gpg4win.org/version5.html