Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from Vendor (redhat) · only source for this CVE.
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.
AnalysisAI
GnuTLS with OCSP verification enabled incorrectly accepts revoked server certificates when presented with specially crafted multi-record OCSP responses during TLS handshakes, allowing attackers to bypass certificate revocation checks and establish connections to compromised servers. The vulnerability requires high attack complexity and specific OCSP configuration, affecting Red Hat Enterprise Linux 6-10, Red Hat Hardened Images, and OpenShift Container Platform 4. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
GnuTLS is a cryptographic library that implements TLS/SSL and DTLS protocols, including support for Online Certificate Status Protocol (OCSP) validation. OCSP is a mechanism for checking X.509 digital certificate revocation status in real-time, as an alternative to Certificate Revocation Lists (CRLs). The vulnerability stems from a logic error (CWE-179: Improper Neutralization of Formula Elements in a CSV File) in how GnuTLS parses and validates multi-record OCSP responses - responses that span multiple TLS records during the handshake. The affected CPE entries indicate the vulnerability impacts GnuTLS bundled with Red Hat Enterprise Linux versions 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4, spanning both older legacy systems and modern containerized deployments.
RemediationAI
Apply Red Hat security updates for GnuTLS across affected systems using the vendor-provided errata for RHEL 6, 7, 8, 9, and 10, with specific patch versions available through Red Hat's advisory portal (https://access.redhat.com/security/cve/CVE-2026-3832). For OpenShift Container Platform 4 deployments, update the platform and rebuild container images with patched GnuTLS. As an interim compensating control, disable OCSP verification on affected clients if the security posture permits, though this weakens certificate revocation checking and should only be temporary; alternatively, enforce CRL-based revocation checking instead of OCSP if supported by the application. Network-level MITM prevention (such as pinning or explicit firewall rules limiting certificate issuance paths) can reduce the window of exposure for the specific attack scenario, but cannot fully mitigate the OCSP validation bypass itself. Monitor upstream GnuTLS releases and Red Hat advisories for patched version numbers, as this CVE was assigned in 2026 and patch availability timelines may not yet be final.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Same weakness CWE-179 – Incorrect Behavior Order: Early Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26402