PSA: PGP/GPG and S/MIME vulnerabilities found

Earlier today, a group of European researchers from Münster University, Ruhr-University, and KU Leuven University released a warning on Twitter:

The EFF advises completely disabling PGP/GPG and S/MIME from your email client as a temporary measure. There are guides for Enigmail on Thunderbird, AppleMail with GPGTools and Outlook with Gpg4Win.

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

The details of the exploit have not yet been released, but the early description looks like RCE (Remote Code Execution).

EFF's recommendation is to use an alternative end-to-end secure channel such as Signal.

UPDATE: The vulnerability is not in the protocol itself, but rather in the implementation in various email clients.

Here is a chart listing the vulnerable email clients: