Ddos 
The GnuTLS project, a vital secure communications library used extensively across the Linux ecosystem to implement SSL, TLS, and DTLS protocols, has issued a major security update. Version 3.8.13, released on April 29, 2026, addresses a dozen Common Vulnerabilities and Exposures (CVEs) that range from low-risk timing issues to high-severity heap overwrites.
GnuTLS is designed to keep the complexity of Public Key Infrastructure (PKI) out of application code, but this latest round of fixes highlights that even the most fundamental security layers require constant vigilance.
The most critical fixes in this release target the Datagram Transport Layer Security (DTLS) reassembly code and identity verification logic.
- Heap Overwrites in DTLS (CVE-2026-42009, CVE-2026-33846 & CVE-2026-33845): Researchers discovered that GnuTLS failed to check for consistent message_length values in DTLS fragments. A missing array size check and a remotely triggerable underflow could allow an attacker to cause a heap overwrite or overrun, potentially leading to arbitrary code execution.
- RSA-PSK Identity Truncation (CVE-2026-42010): A dangerous flaw in servers configured with RSA-PSK allowed authentication bypass. Usernames containing a NUL character were wrongfully matched to truncated versions, essentially letting unauthorized users slip through the login gate.
- Name Constraint Bypasses (CVE-2026-3833 & CVE-2026-42011): GnuTLS previously used case-sensitive comparison for domain names, violating RFC 5280. This could lead to the incorrect acceptance of domain names that should have been rejected under excluded name constraints.
Several medium-severity vulnerabilities were addressed to prevent the misuse of certificates beyond their original intent.
- Suppressed CN Fallbacks (CVE-2026-42012 & CVE-2026-42013): The library will no longer fall back to checking DNS hostnames against the “Common Name” (CN) if a certificate contains URI or SRV Subject Alternative Names (SAN), or if the SAN is oversized. This change hardens the validation process against potential spoofing.
- PKCS#11 Use-After-Free (CVE-2026-42014): A flaw was found when changing a Security Officer PIN where an uninitialized pointer could lead to a use-after-free condition.
Even the lower-severity fixes in version 3.8.13 address fundamental security logic errors.
- OCSP Revocation Bypass (CVE-2026-3832): In a striking logic error, when validating against a multi-entry OCSP response, GnuTLS only checked the revocation status of the first entry instead of the one matching the certificate. This could allow revoked certificates to be erroneously accepted as valid.
- Timing Side-Channel (CVE-2026-5419): A non-constant-time check during PKCS#7 padding removal could leak information about padding bytes through timing differences. The logic has been rewritten to be “branch-free” to neutralize this information leak.
Administrators and developers using GnuTLS as their communications back-end are strongly urged to upgrade to version 3.8.13 or higher immediately to mitigate these risks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
