The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
https://github.com/proglottis/gpgme/pull/23
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1
https://bugzilla.redhat.com/show_bug.cgi?id=1795838
https://access.redhat.com/errata/RHSA-2020:0697