Bug 2450625 (CVE-2026-33846)
| Summary: | CVE-2026-33846 gnutls: GnuTLS: Denial of Service via heap buffer overflow in DTLS handshake fragment reassembly | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | cnewsom, kshier, rhel-process-autobot, security-response-team, stcannon, teagle, watson-tool-maintainers, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2477363 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-24 05:39:41 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:20611 https://access.redhat.com/errata/RHSA-2026:20611 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:20613 https://access.redhat.com/errata/RHSA-2026:20613 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:20612 https://access.redhat.com/errata/RHSA-2026:20612 This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:26409 https://access.redhat.com/errata/RHSA-2026:26409 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:30004 https://access.redhat.com/errata/RHSA-2026:30004 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:30850 https://access.redhat.com/errata/RHSA-2026:30850 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On Via RHSA-2026:30849 https://access.redhat.com/errata/RHSA-2026:30849 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions Via RHSA-2026:32962 https://access.redhat.com/errata/RHSA-2026:32962 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:33125 https://access.redhat.com/errata/RHSA-2026:33125 |