2423177 – (CVE-2025-14831) CVE-2025-14831 gnutls: GnuTLS: Denial of Service via excessive resource consumption during certificate verification

Bug 2423177 (CVE-2025-14831) - CVE-2025-14831 gnutls: GnuTLS: Denial of Service via excessive resource consumption during certificate verification

Summary: CVE-2025-14831 gnutls: GnuTLS: Denial of Service via excessive resource consu...

Keywords:
Status:	NEW
Alias:	CVE-2025-14831
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2437986 2437987
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-17 14:52 UTC by OSIDB Bzimport
Modified:	2026-02-09 14:34 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-17 14:52:47 UTC

Verifying Certificates with large amout of name constraints and subject alternative names makes GnuTLS vulnerable to DoS attacks

When trying to verify a certificate chain using the certtool --verify command, with certificates, that contain a larger number of SANs and Name Constraints, GnuTLS tries to verify all of them, without any bound on the quantity of those fields.
Using those crafted malicious certificate, GnuTLS is vulnerable to DoS attacks by excessive usage of CPU and memory.

Note You need to log in before you can comment on or make changes to this bug.