| Package | gnutls28 |
|---|---|
| Version | 3.5.8-5+deb9u11 (stretch), 3.6.7-4+deb10u16 (buster) |
| Related CVEs | CVE-2026-3833 CVE-2026-5260 CVE-2026-33845 CVE-2026-33846 CVE-2026-42009 CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015 |
- CVE-2026-3833
-
Oleh Konko and Joshua Rogers independently discovered that domain name comparison during name constraints processing was case-sensitive, thereby violating RFC 5280 §7.2. For excluded name constraints, this could lead to incorrectly accepting domain names that should’ve been rejected.
- CVE-2026-5260
-
Joshua Rogers discovered that for a server using an RSA key backed by a PKCS#11 token, a client sending an extremely short premaster secret during an RSA key exchange could trigger a short heap overread.
This vulnerability does not after the GnuTLS version found in stretch (or any version prior to 3.6.5).
- CVE-2026-33845
-
Joshua Rogers a remotely triggerable underflow in the DTLS reassembly code leading to a heap overrun.
- CVE-2026-33846
-
Haruto Kimura, Oscar Reparaz and Zou Dikai independently discovered that GnuTLS failed to properly check that DTLS fragments claimed a consistent
message_lengthvalue, and that a missing bound check on the array was missing, enabling an attacker to cause a heap overwrite. - CVE-2026-42009
-
Joshua Rogers discovered that the comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to undefined behaviour.
- CVE-2026-42010
-
Joshua Rogers discovered that servers configured with RSA-PSK wrongfully matched usernames with
NULcharacter in them to ones truncated toNULcharacter, which could lead to an authentication bypass. - CVE-2026-42011
-
Haruto Kimura discovered that permitted name constraints were wrongfully ignored when prior CAs only had excluded name constraints, resulting in a name constraint bypass.
- CVE-2026-42012
-
Oleh Konko discovered that certificates containing URI or SRV Subject Alternative Names would fall back to checking DNS hostnames against Common Name, thereby violating RFC 6125 §6.3. This could allow potential misuse of such certificates beyond their original purpose.
Note: This is a breaking change for setups relying on non RFC6125-compliant behavior such as unconditional CN fallback or CN fallback with unsupported SAN type.
- CVE-2026-42013
-
Haruto Kimura and Joshua Rogers independently discovered that validation of certificates with oversized Subject Alternative Names would fall back to checking DNS hostnames against Common Name.
- CVE-2026-42014
-
Luigino Camastra and Joshua Rogers discovered that changing the Security Officer PIN with
gnutls_pkcs11_token_set_pin()witholdpin == NULLfor a token lacking a protected authentication path led to a use-after-free.This vulnerability does not after the GnuTLS version found in stretch (or any version prior to 3.6.5).
This update also fixes additional security issues for which no CVE ID was assigned yet:
-
Joshua Rogers discovered that the OCSP signing EKU OID was compared without verifying its length, allowing a shorter OID that shares the same prefix to match.
-
Haruto Kimura discovered a possible invalid pointer dereference in the PKCS#11 trust removal error path.
-
Kamil Frankowicz discovered that
gnutls_privkey_verify_params()overlooked the scenario ofpandqnot being co-prime. It now returnsGNUTLS_E_PK_INVALID_PRIVKEYin this case. -
Joshua Rogers discovered that if
gnutls_x509_crt_list_import_pkcs11()failed partway through, then the trust list cleanup code would try to free already-deinitialized certificate entries, leading to a double-free. -
Kamil Frankowicz and Joshua Rogers idependently discovered that insufficient bounds checking on the PEM header length could lead to short heap overreads on specially crafted inputs.
For Debian 10 buster, these problems have been fixed in version 3.6.7-4+deb10u16.
For Debian 9 stretch, these problems have been fixed in version 3.5.8-5+deb9u11.
We recommend that you upgrade your gnutls28 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.