How to fix EUVD-2025-20927?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Ubuntu affected by EUVD-2025-20927?

Organizations using A heap-buffer-overread vulnerability should be aware of moderate risk from CVE-2025-32989 rated CVSS 5.3. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and monitor for exploitation.

EUVD-2025-20927

| CVE-2025-32989 MEDIUM

2025-07-10 [email protected]

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-20927

CVE Published

Jul 10, 2025 - 08:15 nvd

MEDIUM 5.3

Description

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

Analysis

Technical Context

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Improper Certificate Validation (CWE-295).

Affected Products

Affected products: Gnu Gnutls -, Redhat Openshift Container Platform 4.0, Redhat Enterprise Linux 6.0

Remediation

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +26

POC: 0

Vendor Status

Ubuntu

Priority: Medium

gnutls28

Release	Status	Version
upstream	released	3.8.9-3
jammy	released	3.7.3-4ubuntu1.7
noble	released	3.8.3-1.1ubuntu3.4
plucky	released	3.8.9-2ubuntu3.1
oracular	ignored	end of life, was needs-triage
bionic	not-affected	code not present
focal	not-affected	code not present
xenial	not-affected	code not present
questing	released	3.8.9-3ubuntu1

USN-7635-1

Debian

gnutls28

Release	Status	Fixed Version	Urgency
bullseye	not-affected	-	-
bullseye (security)	fixed	3.7.1-5+deb11u9	-
bookworm	fixed	3.7.9-2+deb12u5	-
bookworm (security)	fixed	3.7.9-2+deb12u6	-
trixie (security), trixie	fixed	3.8.9-3+deb13u2	-
forky, sid	fixed	3.8.12-3	-
(unstable)	fixed	3.8.9-3	-

DSA-5962-1

EUVD-2025-20927 vulnerability details – vuln.today

Back

EUVD-2025-20927

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-20927

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code