CVE-2025-32989

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
redhatCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
gnugnutls
-
redhatopenshift_container_platform
4.0
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnutls28
bullseye
3.7.1-5+deb11u5
not-affected
bullseye (security)
3.7.1-5+deb11u8
fixed
bookworm
vulnerable
bookworm (security)
3.7.9-2+deb12u5
fixed
forky
3.8.9-3
fixed
trixie
3.8.9-3
fixed
sid
3.8.10-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnutls28
plucky
Fixed 3.8.9-2ubuntu3.1
released
oracular
ignored
noble
Fixed 3.8.3-1.1ubuntu3.4
released
jammy
Fixed 3.7.3-4ubuntu1.7
released
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://access.redhat.com/security/cve/CVE-2025-32989
https://bugzilla.redhat.com/show_bug.cgi?id=2359621