2359621 – (CVE-2025-32989) CVE-2025-32989 gnutls: Vulnerability in GnuTLS SCT extension parsing

Bug 2359621 (CVE-2025-32989) - CVE-2025-32989 gnutls: Vulnerability in GnuTLS SCT extension parsing

Summary: CVE-2025-32989 gnutls: Vulnerability in GnuTLS SCT extension parsing

Keywords:
Status:	NEW
Alias:	CVE-2025-32989
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-15 01:32 UTC by OSIDB Bzimport
Modified:	2025-07-11 08:49 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-15 01:32:21 UTC

A heap-buffer-overread vulnerability exists in GnuTLS (confirmed in version 3.8.9) due to unsafe
handling of the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension
during X.509 certificate parsing. The vulnerability can be triggered by a malicious peer
presenting a crafted certificate containing a malformed SCT extension (OID
1.3.6.1.4.1.11129.2.4.2).
This overread may lead to disclosure of heap memory contents to attackers if the SCT log_id
is logged, exported, or otherwise exposed by the application consuming the GnuTLS client
library.

Note You need to log in before you can comment on or make changes to this bug.