CVE-2026-33846

EUVD-2026-26926
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Debian logo
Debian Releases
Debian Product
Codename
gnutls28
bookworm
vulnerable
bookworm (security)
3.7.9-2+deb12u7
fixed
bullseye
vulnerable
bullseye (security)
3.7.1-5+deb11u10
fixed
forky
3.8.13-1
fixed
sid
3.8.13-1
fixed
trixie
vulnerable
trixie (security)
3.8.9-3+deb13u4
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
gnutls
suse enterprise desktop 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise sap 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise server 12 SP3
3.3.27-3.18.1
fixed
suse enterprise server 12 SP5
3.3.27-3.18.1
fixed
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP6
3.8.3-150600.4.20.1
fixed
suse enterprise server 15 SP7
3.8.3-150600.4.20.1
fixed
gnutls-guile
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
libgnutls-devel
suse enterprise desktop 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise sap 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise server 12 SP5
3.3.27-3.18.1
fixed
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP6
3.8.3-150600.4.20.1
fixed
suse enterprise server 15 SP7
3.8.3-150600.4.20.1
fixed
libgnutls-openssl-devel
suse enterprise server 12 SP5
3.3.27-3.18.1
fixed
libgnutls-openssl27
suse enterprise server 12 SP3
3.3.27-3.18.1
fixed
suse enterprise server 12 SP5
3.3.27-3.18.1
fixed
libgnutls28
suse enterprise server 12 SP3
3.3.27-3.18.1
fixed
suse enterprise server 12 SP5
3.3.27-3.18.1
fixed
libgnutls28-32bit
suse enterprise server 12 SP3
3.3.27-3.18.1
fixed
suse enterprise server 12 SP5
3.3.27-3.18.1
fixed
libgnutls30
suse enterprise desktop 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise sap 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise server 12 SP5
3.4.17-8.23.1
fixed
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP6
3.8.3-150600.4.20.1
fixed
suse enterprise server 15 SP7
3.8.3-150600.4.20.1
fixed
libgnutls30-32bit
suse enterprise desktop 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise sap 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise server 12 SP5
3.4.17-8.23.1
fixed
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP6
3.8.3-150600.4.20.1
fixed
suse enterprise server 15 SP7
3.8.3-150600.4.20.1
fixed
libgnutls30-hmac
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
libgnutls30-hmac-32bit
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
libgnutlsxx-devel
suse enterprise desktop 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise sap 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise server 12 SP5
3.3.27-3.18.1
fixed
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP6
3.8.3-150600.4.20.1
fixed
suse enterprise server 15 SP7
3.8.3-150600.4.20.1
fixed
libgnutlsxx28
suse enterprise server 15 SP4
3.7.3-150400.4.59.1
fixed
suse enterprise server 15 SP5
3.7.3-150400.4.59.1
fixed
libgnutlsxx30
suse enterprise desktop 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise sap 15 SP7
3.8.3-150600.4.20.1
fixed
suse enterprise server 15 SP6
3.8.3-150600.4.20.1
fixed
suse enterprise server 15 SP7
3.8.3-150600.4.20.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
gnutls
RHEL 8
0:3.6.16-8.el8_10.6
fixed
RHEL 9
0:3.8.10-4.el9_8
fixed
gnutls-c
RHEL 8
0:3.6.16-8.el8_10.6
fixed
RHEL 9
0:3.8.10-4.el9_8
fixed
gnutls-dane
RHEL 8
0:3.6.16-8.el8_10.6
fixed
RHEL 9
0:3.8.10-4.el9_8
fixed
gnutls-devel
RHEL 8
0:3.6.16-8.el8_10.6
fixed
RHEL 9
0:3.8.10-4.el9_8
fixed
gnutls-utils
RHEL 8
0:3.6.16-8.el8_10.6
fixed
RHEL 9
0:3.8.10-4.el9_8
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
gnutls
Amazon Linux 2
0:3.3.29-9.amzn2.0.4
fixed
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-c++
Amazon Linux 2
0:3.3.29-9.amzn2.0.4
fixed
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-c++-debuginfo
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-dane
Amazon Linux 2
0:3.3.29-9.amzn2.0.4
fixed
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-dane-debuginfo
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-debuginfo
Amazon Linux 2
0:3.3.29-9.amzn2.0.4
fixed
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-debugsource
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-devel
Amazon Linux 2
0:3.3.29-9.amzn2.0.4
fixed
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-utils
Amazon Linux 2
0:3.3.29-9.amzn2.0.4
fixed
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
gnutls-utils-debuginfo
Amazon Linux 2023
0:3.8.3-8.amzn2023.0.3
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
gnutls
Azure Linux 3.0
0:3.8.3-11.azl3
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://access.redhat.com/errata/RHSA-2026:13274
https://access.redhat.com/errata/RHSA-2026:20611
https://access.redhat.com/errata/RHSA-2026:20612
https://access.redhat.com/errata/RHSA-2026:20613
https://access.redhat.com/errata/RHSA-2026:26319
https://access.redhat.com/errata/RHSA-2026:26409
https://access.redhat.com/security/cve/CVE-2026-33846
https://bugzilla.redhat.com/show_bug.cgi?id=2450625