SB2026043071 - Multiple vulnerabilities in GnuTLS
Published: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2026-33846)
The vulnerability allows a remote attacker to cause a heap overwrite.
The vulnerability exists due to a heap-based buffer overflow in DTLS fragment handling when processing inconsistent DTLS fragments. A remote attacker can send specially crafted DTLS fragments to cause a heap overwrite.
2) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-42009)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper implementation of a qsort comparator contract in the DTLS packet sequence number comparator when ordering DTLS packets by sequence numbers. A remote attacker can send DTLS packets with duplicate sequence numbers to cause a denial of service.
3) Heap-based buffer overflow (CVE-ID: CVE-2026-33845)
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in the DTLS reassembly code when processing crafted DTLS fragments. A remote attacker can send specially crafted DTLS traffic to cause a denial of service or execute arbitrary code.
4) Improper Authentication (CVE-ID: CVE-2026-42010)
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in RSA-PSK username matching when processing usernames containing a NUL character. A remote attacker can supply a specially crafted username to bypass authentication.
5) Improper Certificate Validation (CVE-ID: CVE-2026-3833)
The vulnerability allows a remote attacker to bypass name constraints validation.
The vulnerability exists due to improper certificate validation in name constraints processing when comparing domain names in certificates. A remote attacker can present a specially crafted certificate to bypass name constraints validation.
This issue affects excluded name constraints because domain name comparison was performed case-sensitively, contrary to RFC 5280 section 7.2.
6) Improper Certificate Validation (CVE-ID: CVE-2026-42011)
The vulnerability allows a remote attacker to bypass name constraints during certificate validation.
The vulnerability exists due to improper certificate validation in the name constraints handling logic when processing certificate chains. A remote attacker can present a specially crafted certificate chain to bypass name constraints during certificate validation.
The issue occurs when permitted name constraints are ignored if prior certificate authorities contain only excluded name constraints.
7) Improper Certificate Validation (CVE-ID: CVE-2026-42012)
The vulnerability allows a remote attacker to misuse certificates beyond their intended purpose.
The vulnerability exists due to improper certificate validation in certificate hostname verification when processing certificates containing URI or SRV Subject Alternative Names. A remote attacker can present a specially crafted certificate to misuse certificates beyond their intended purpose.
Certificates with URI or SRV Subject Alternative Names may incorrectly fall back to checking DNS hostnames against the Common Name.
8) Improper Certificate Validation (CVE-ID: CVE-2026-42013)
The vulnerability allows a remote attacker to bypass certificate hostname validation.
The vulnerability exists due to improper certificate validation in certificate Subject Alternative Name and Common Name hostname checking when validating certificates with oversized Subject Alternative Names. A remote attacker can present a specially crafted certificate to bypass certificate hostname validation.
9) Use-after-free (CVE-ID: CVE-2026-42014)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in gnutls_pkcs11_token_set_pin() when changing the Security Officer PIN with oldpin set to NULL for a token lacking a protected authentication path. A remote attacker can trigger the vulnerable function call to cause a denial of service.
10) Out-of-bounds read (CVE-ID: CVE-2026-5260)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in RSA key exchange handling when processing an extremely short premaster secret from a client for a server using an RSA key backed by a PKCS#11 token. A remote attacker can send a specially crafted premaster secret to disclose sensitive information.
Only servers using an RSA key backed by a PKCS#11 token are vulnerable.
11) Out-of-bounds write (CVE-ID: CVE-2026-42015)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds write in the PKCS#12 bag handling code when appending to a PKCS#12 bag that already contains 32 elements. A remote attacker can supply crafted PKCS#12 data to cause a denial of service.
12) Improper Certificate Validation (CVE-ID: CVE-2026-3832)
The vulnerability allows a remote attacker to bypass certificate revocation checks.
The vulnerability exists due to improper certificate status validation in OCSP response processing when validating a certificate against a multi-entry OCSP response. A remote attacker can supply a certificate status response with multiple entries to bypass certificate revocation checks.
13) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-5419)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to observable timing discrepancy in PKCS#7 padding check during decryption when processing ciphertext. A remote attacker can send specially crafted ciphertext to disclose sensitive information.
Remediation
Install update from vendor's website.
References
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-1
- https://gitlab.com/gnutls/gnutls/-/issues/1816
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-2
- https://gitlab.com/gnutls/gnutls/-/issues/1848
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-3
- https://gitlab.com/gnutls/gnutls/-/issues/1811
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-4
- https://gitlab.com/gnutls/gnutls/-/issues/1850
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-5
- https://gitlab.com/gnutls/gnutls/-/issues/1803
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-6
- https://gitlab.com/gnutls/gnutls/-/issues/1824
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-7
- https://gitlab.com/gnutls/gnutls/-/issues/1802
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-8
- https://gitlab.com/gnutls/gnutls/-/issues/1825
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-9
- https://gitlab.com/gnutls/gnutls/-/issues/1766
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-10
- https://gitlab.com/gnutls/gnutls/-/issues/1814
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-11
- https://gitlab.com/gnutls/gnutls/-/issues/1840
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-12
- https://gitlab.com/gnutls/gnutls/-/issues/1801
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-13
- https://gitlab.com/gnutls/gnutls/-/issues/1815