Skip to main content

GnuTLS CVE-2026-33846

| EUVDEUVD-2026-26926 HIGH
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-05-04 redhat
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 10:01 vuln.today
EUVD ID Assigned
May 04, 2026 - 09:45 euvd
EUVD-2026-26926
Analysis Generated
May 04, 2026 - 09:45 vuln.today
CVE Published
May 04, 2026 - 09:08 nvd
HIGH 7.5

DescriptionCVE.org

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

AnalysisAI

Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.

Technical ContextAI

GnuTLS is a widely-deployed open-source TLS/DTLS library used across Linux distributions and applications for secure communications. DTLS (Datagram TLS) adapts TLS for UDP transport and handles fragmented handshake messages that may arrive out-of-order or duplicated. The vulnerable merge_handshake_packet() function matches fragments solely by handshake type (e.g., ClientHello, ServerHello) without enforcing that all fragments of a single logical message declare the same message_length field. This CWE-130 (Improper Handling of Length Parameter Inconsistency) allows an attacker to send an initial fragment with a small message_length (triggering allocation of a correspondingly small heap buffer), followed by additional fragments with larger message_length values. When these inconsistent fragments are merged, data is written beyond the allocated buffer bounds, resulting in heap corruption. The affected CPE entries indicate Red Hat Enterprise Linux versions 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4 all package vulnerable GnuTLS versions.

RemediationAI

Apply vendor-released security updates for GnuTLS as soon as Red Hat publishes patched packages for affected RHEL versions (consult https://access.redhat.com/security/cve/CVE-2026-33846 for release schedule and exact package versions). Until patches are deployed, implement compensating controls: disable DTLS protocol support entirely if not operationally required (configure applications to use TLS over TCP only), which eliminates the vulnerable code path but prevents UDP-based secure communications. For services that require DTLS, restrict network access to trusted IP ranges via firewall rules (note: this only reduces attack surface, does not eliminate vulnerability for permitted sources). Deploy network-layer DTLS traffic inspection if available to detect malformed handshake fragments, though evasion is likely given the protocol-level nature of the flaw. Monitor for application crashes in GnuTLS-dependent services as potential exploitation indicator. Prioritize patching for internet-facing DTLS endpoints (VPN concentrators, WebRTC gateways) over internal-only deployments.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-33846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy