Bug 2359622 (CVE-2025-32988)

Summary: CVE-2025-32988 gnutls: Vulnerability in GnuTLS otherName SAN export
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, kshier, omaciel, saroy, security-response-team, stcannon, yguenane
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-04-15 01:32:23 UTC 
A double-free vulnerability exists in GnuTLS (confirmed in version 3.8.9) due to incorrect
ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an
otherName. If the type-id OID is invalid or malformed, GnuTLS will call
asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free
condition when the parent function or caller later attempts to free the same structure.
This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of
service or memory corruption, depending on allocator behavior.
Comment 2 errata-xmlrpc 2025-09-17 17:06:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:16115 https://access.redhat.com/errata/RHSA-2025:16115
Comment 3 errata-xmlrpc 2025-09-17 17:59:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16116 https://access.redhat.com/errata/RHSA-2025:16116
Comment 4 errata-xmlrpc 2025-10-06 02:29:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:17348 https://access.redhat.com/errata/RHSA-2025:17348
Comment 5 errata-xmlrpc 2025-10-06 08:43:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17361 https://access.redhat.com/errata/RHSA-2025:17361
Comment 6 errata-xmlrpc 2025-10-07 07:26:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:17415 https://access.redhat.com/errata/RHSA-2025:17415