Skip to main content

GnuTLS CVE-2026-5260

| EUVDEUVD-2026-32009 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-26 redhat
8.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
8.2 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 26, 2026 - 22:12 vuln.today
CVE Published
May 26, 2026 - 21:29 nvd
HIGH 8.2

DescriptionCVE.org

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.

AnalysisAI

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap overread against TLS servers that perform legacy RSA key exchange using a private key backed by a PKCS#11 token. By sending an abnormally short premaster secret, the attacker causes the library to read beyond an allocated buffer (CWE-1284), which can leak a small amount of adjacent heap memory and, per the CVSS vector, more strongly impacts availability (A:H). No public exploit has been identified at time of analysis and the issue is not in CISA KEV; EPSS and SSVC data were not provided.

Technical ContextAI

GnuTLS is a widely deployed open-source library implementing TLS/SSL, used by many Linux applications for secure transport. The flaw lies in the server-side handling of the RSA key-exchange handshake (the legacy TLS_RSA_* cipher suites, where the client encrypts a premaster secret under the server's RSA public key rather than using ephemeral Diffie-Hellman). When the server's RSA private key is offloaded to a PKCS#11 token - a cryptographic abstraction layer used for HSMs, smartcards, and software token stores - the code path that decrypts and processes the premaster secret fails to properly validate the supplied length. CWE-1284 (Improper Validation of Specified Quantity in Input) is the root cause: an attacker-controlled, extremely short premaster secret leads the library to read past the end of the buffer, a classic heap overread/memory-corruption condition.

RemediationAI

No vendor-released patched version is identified in the provided data; the authoritative source for fixed package builds is the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-5260 and Bugzilla 2467450 (https://bugzilla.redhat.com/show_bug.cgi?id=2467450) - apply the gnutls errata for your RHEL or OpenShift release once published and restart services linking libgnutls. As a compensating control until patched, disable static RSA key-exchange cipher suites and require forward-secret (EC)DHE suites or enforce TLS 1.3, which removes RSA key exchange entirely and eliminates the vulnerable code path; the trade-off is potential incompatibility with very old clients that only support RSA key exchange. Alternatively, where feasible, serve affected endpoints with private keys held in software rather than a PKCS#11 token to avoid the specific PKCS#11 decryption path, accepting the reduced key-protection guarantees that an HSM/token otherwise provides. Inventory which TLS-facing services actually combine RSA key exchange with PKCS#11-backed keys, since most modern configurations are not exposed.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-35091 HIGH
8.2 Apr 01

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor

Vendor StatusVendor

SUSE

Severity: High
Product Status
Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-EC2 Image SLES-SAP-GCE Image SLES-SAP-GCE-3P Affected
SUSE Liberty Linux 8 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-5260 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy