RHSA-2026:13274
Vulnerability from csaf_redhat - Published: 2026-05-02 22:26 - Updated: 2026-05-04 13:23Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
gnutls:
* gnutls-3.8.13-1.hum1 (aarch64, x86_64)
* gnutls-c++-3.8.13-1.hum1 (aarch64, x86_64)
* gnutls-dane-3.8.13-1.hum1 (aarch64, x86_64)
* gnutls-devel-3.8.13-1.hum1 (aarch64, x86_64)
* gnutls-fips-3.8.13-1.hum1 (aarch64, x86_64)
* gnutls-utils-3.8.13-1.hum1 (aarch64, x86_64)
* mingw32-gnutls-3.8.13-1.hum1 (noarch)
* mingw64-gnutls-3.8.13-1.hum1 (noarch)
* gnutls-3.8.13-1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.
CWE-179 - Incorrect Behavior Order: Early Validation
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:13274
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
6.5 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:13274
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:13274
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:13274
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ngnutls:\n * gnutls-3.8.13-1.hum1 (aarch64, x86_64)\n * gnutls-c++-3.8.13-1.hum1 (aarch64, x86_64)\n * gnutls-dane-3.8.13-1.hum1 (aarch64, x86_64)\n * gnutls-devel-3.8.13-1.hum1 (aarch64, x86_64)\n * gnutls-fips-3.8.13-1.hum1 (aarch64, x86_64)\n * gnutls-utils-3.8.13-1.hum1 (aarch64, x86_64)\n * mingw32-gnutls-3.8.13-1.hum1 (noarch)\n * mingw64-gnutls-3.8.13-1.hum1 (noarch)\n * gnutls-3.8.13-1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:13274",
"url": "https://access.redhat.com/errata/RHSA-2026:13274"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33845",
"url": "https://access.redhat.com/security/cve/CVE-2026-33845"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-3833",
"url": "https://access.redhat.com/security/cve/CVE-2026-3833"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-3832",
"url": "https://access.redhat.com/security/cve/CVE-2026-3832"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33846",
"url": "https://access.redhat.com/security/cve/CVE-2026-33846"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_13274.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-05-04T13:23:52+00:00",
"generator": {
"date": "2026-05-04T13:23:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.8"
}
},
"id": "RHSA-2026:13274",
"initial_release_date": "2026-05-02T22:26:22+00:00",
"revision_history": [
{
"date": "2026-05-02T22:26:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-04T12:22:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-04T13:23:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "gnutls-main@aarch64",
"product": {
"name": "gnutls-main@aarch64",
"product_id": "gnutls-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/gnutls@3.8.13-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "gnutls-main@src",
"product": {
"name": "gnutls-main@src",
"product_id": "gnutls-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/gnutls@3.8.13-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "gnutls-main@x86_64",
"product": {
"name": "gnutls-main@x86_64",
"product_id": "gnutls-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/gnutls@3.8.13-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "gnutls-main@noarch",
"product": {
"name": "gnutls-main@noarch",
"product_id": "gnutls-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mingw32-gnutls@3.8.13-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gnutls-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:gnutls-main@aarch64"
},
"product_reference": "gnutls-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gnutls-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:gnutls-main@noarch"
},
"product_reference": "gnutls-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gnutls-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:gnutls-main@src"
},
"product_reference": "gnutls-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gnutls-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:gnutls-main@x86_64"
},
"product_reference": "gnutls-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-3832",
"cwe": {
"id": "CWE-179",
"name": "Incorrect Behavior Order: Early Validation"
},
"discovery_date": "2026-03-09T13:41:32.810000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445762"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gnutls: gnutls: Security bypass allows acceptance of revoked server certificates via crafted OCSP response",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue has a LOW impact. A flaw in gnutls\u0027 OCSP stapling implementation allows a client with OCSP verification enabled to accept a revoked server certificate. This occurs when a multi-record OCSP response is stapled, and the client incorrectly reads the certificate status from an unrelated record, leading to an order-dependent acceptance of a revoked certificate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3832"
},
{
"category": "external",
"summary": "RHBZ#2445762",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445762"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3832",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3832"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3832",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3832"
},
{
"category": "external",
"summary": "https://gitlab.com/gnutls/gnutls/-/issues/1801",
"url": "https://gitlab.com/gnutls/gnutls/-/issues/1801"
}
],
"release_date": "2026-04-30T17:29:25.738000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-02T22:26:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13274"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "gnutls: gnutls: Security bypass allows acceptance of revoked server certificates via crafted OCSP response"
},
{
"cve": "CVE-2026-3833",
"cwe": {
"id": "CWE-178",
"name": "Improper Handling of Case Sensitivity"
},
"discovery_date": "2026-03-09T14:02:09.783000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445763"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is particularly important because it affects the correct enforcement of X.509 nameConstraints, which are specifically designed to limit the authority of subordinate CAs. In GnuTLS, the use of case-sensitive comparisons (memcmp) for dNSName and the domain portion of rfc822Name violates the case-insensitive matching requirements defined in RFC 5280 and RFC 4343. As a result, a constrained subordinate CA can bypass excludedSubtrees or permittedSubtrees restrictions simply by changing the letter casing of a domain in the SAN (e.g., ExAmPlE.CoM vs example.com). Since nameConstraints are often the only mechanism enforcing domain boundaries in delegated PKI hierarchies, this flaw effectively allows a malicious or compromised sub-CA to issue certificates for domains that should be cryptographically prohibited, enabling unauthorized certificate validation and potential TLS impersonation of restricted services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3833"
},
{
"category": "external",
"summary": "RHBZ#2445763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445763"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3833",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3833"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3833",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3833"
},
{
"category": "external",
"summary": "https://gitlab.com/gnutls/gnutls/-/issues/1803",
"url": "https://gitlab.com/gnutls/gnutls/-/issues/1803"
}
],
"release_date": "2026-04-30T17:26:28.969000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-02T22:26:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13274"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison"
},
{
"cve": "CVE-2026-33845",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"discovery_date": "2026-03-24T05:35:59.740000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450624"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gnutls: GnuTLS: Denial of Service via DTLS zero-length fragment",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue marked as Important severity due to its remote, pre-authentication reachability and its impact on a critical DTLS handshake parsing path. The vulnerability can be triggered by an unauthenticated attacker sending crafted DTLS handshake fragments, requiring no prior access or interaction. It leads to an out-of-bounds read caused by an integer underflow in fragment reassembly, operating entirely on attacker-controlled input. Such flaws in low-level protocol parsing are particularly serious, as they may result in disclosure of sensitive process memory, including cryptographic or session-related data, and can also cause reliable application crashes leading to denial of service. Given that DTLS is commonly used in network-facing services such as VPNs and real-time communication systems, the exposure surface is broad. The combination of unauthenticated remote exploitation, memory safety violation, and potential confidentiality and availability impact justifies classifying this issue as high severity rather than moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33845"
},
{
"category": "external",
"summary": "RHBZ#2450624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33845",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33845"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33845",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33845"
}
],
"release_date": "2026-04-30T17:28:41.473000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-02T22:26:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13274"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "gnutls: GnuTLS: Denial of Service via DTLS zero-length fragment"
},
{
"cve": "CVE-2026-33846",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2026-03-24T05:38:09.899000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450625"
}
],
"notes": [
{
"category": "description",
"text": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gnutls: GnuTLS: Denial of Service via heap buffer overflow in DTLS handshake fragment reassembly",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability should be classified as an important flaw rather than moderate because it exposes a pre-authentication, remotely reachable heap buffer overflow in the DTLS handshake processing path, which is part of the core protocol handling logic and commonly exposed in network-facing services. The flaw enables an attacker to inject controlled data at attacker-chosen offsets and sizes beyond allocated heap boundaries by exploiting inconsistent message_length handling across fragments, effectively creating a constrained but meaningful heap write primitive. Unlike benign memory safety bugs, this condition is deterministically triggerable with a small number of crafted packets and no environmental dependencies for denial-of-service, and it targets a long-lived parsing state where memory corruption can affect adjacent heap structures. Even if reliable code execution requires additional heap manipulation or layout knowledge, the combination of remote reachability, lack of authentication, controlled memory corruption capability, and trivial crashability significantly elevates the risk profile beyond moderate severity. In real-world deployments, such primitives are often sufficient to enable heap grooming and exploitation chains, particularly in services that repeatedly process attacker-controlled input, making this a materially important security flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33846"
},
{
"category": "external",
"summary": "RHBZ#2450625",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450625"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33846"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33846",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33846"
}
],
"release_date": "2026-05-04T08:53:59.249000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-02T22:26:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13274"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:gnutls-main@aarch64",
"Red Hat Hardened Images:gnutls-main@noarch",
"Red Hat Hardened Images:gnutls-main@src",
"Red Hat Hardened Images:gnutls-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "gnutls: GnuTLS: Denial of Service via heap buffer overflow in DTLS handshake fragment reassembly"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…