SB2026070754 - Ubuntu update for gnutls28



SB2026070754 - Ubuntu update for gnutls28

Published: July 7, 2026

Security Bulletin ID SB2026070754
CSH Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 10% Medium 80% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2024-0553)

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform timing attack.

The vulnerability exists due to the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. A remote attacker can perform timing sidechannel attack in RSA-PSK key exchange.

Note, the vulnerability exists due to incomplete fox for #VU83316 (CVE-2023-5981).


2) Resource exhaustion (CVE-ID: CVE-2024-12243)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to libtasn1 does not properly control consumption of internal resources when decoding certain DER-encoded certificate data. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Stack-based buffer overflow (CVE-ID: CVE-2025-9820)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the gnutls_pkcs11_token_init() function in lib/pkcs11_write.c when initializing the PKCS#11 token. A local user can trigger a stack-based buffer overflow and execute arbitrary code on the target system.


4) Resource exhaustion (CVE-ID: CVE-2025-14831)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when verifying certificates with a large amount of name constraints. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Improper Certificate Validation (CVE-ID: CVE-2026-3833)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass name constraints validation.

The vulnerability exists due to improper certificate validation in name constraints processing when comparing domain names in certificates. A remote attacker can present a specially crafted certificate to bypass name constraints validation.

This issue affects excluded name constraints because domain name comparison was performed case-sensitively, contrary to RFC 5280 section 7.2.


6) Out-of-bounds read (CVE-ID: CVE-2026-5260)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in RSA key exchange handling when processing an extremely short premaster secret from a client for a server using an RSA key backed by a PKCS#11 token. A remote attacker can send a specially crafted premaster secret to disclose sensitive information.

Only servers using an RSA key backed by a PKCS#11 token are vulnerable.


7) Heap-based buffer overflow (CVE-ID: CVE-2026-33845)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in the DTLS reassembly code when processing crafted DTLS fragments. A remote attacker can send specially crafted DTLS traffic to cause a denial of service or execute arbitrary code.


8) Heap-based buffer overflow (CVE-ID: CVE-2026-33846)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a heap overwrite.

The vulnerability exists due to a heap-based buffer overflow in DTLS fragment handling when processing inconsistent DTLS fragments. A remote attacker can send specially crafted DTLS fragments to cause a heap overwrite.


9) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-42009)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper implementation of a qsort comparator contract in the DTLS packet sequence number comparator when ordering DTLS packets by sequence numbers. A remote attacker can send DTLS packets with duplicate sequence numbers to cause a denial of service.


10) Improper Authentication (CVE-ID: CVE-2026-42010)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in RSA-PSK username matching when processing usernames containing a NUL character. A remote attacker can supply a specially crafted username to bypass authentication.


Remediation

Install update from vendor's website.