CVE-2025-32989

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
redhatCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
VendorProductVersion
gnugnutls
-
redhatopenshift_container_platform
4.0
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnutls28
bullseye
3.7.1-5+deb11u5
not-affected
bullseye (security)
3.7.1-5+deb11u8
fixed
bookworm
3.7.9-2+deb12u5
fixed
bookworm (security)
3.7.9-2+deb12u5
fixed
trixie
3.8.9-3
fixed
forky
3.8.10-3
fixed
sid
3.8.11-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnutls28
questing
Fixed 3.8.9-3ubuntu1
released
plucky
Fixed 3.8.9-2ubuntu3.1
released
oracular
ignored
noble
Fixed 3.8.3-1.1ubuntu3.4
released
jammy
Fixed 3.7.3-4ubuntu1.7
released
focal
not-affected
bionic
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2025:16115
https://access.redhat.com/errata/RHSA-2025:16116
https://access.redhat.com/errata/RHSA-2025:17181
https://access.redhat.com/errata/RHSA-2025:17348
https://access.redhat.com/errata/RHSA-2025:17361
https://access.redhat.com/errata/RHSA-2025:19088
https://access.redhat.com/errata/RHSA-2025:22529
https://access.redhat.com/security/cve/CVE-2025-32989
https://bugzilla.redhat.com/show_bug.cgi?id=2359621
http://www.openwall.com/lists/oss-security/2025/07/11/3