Description
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).
Published: 2026-02-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in GnuTLS and permits a denial of service by forcing the library to consume excessive CPU and memory while verifying certificates that contain a very large number of name constraints or subject alternative names. The result is that the TLS handshake stalls or crashes, preventing legitimate connections from succeeding and potentially exhausting system resources.

Affected Systems

Affected products include Red Hat AI Inference Server 3.2 and 3.3, Red Hat Ceph Storage 8, Red Hat Discovery 2, several releases of Red Hat Enterprise Linux (6, 7, 8, 9, 10 and related extended update support branches), Red Hat Hardened Images, Red Hat Insights proxy 1.5, Red Hat OpenShift Container Platform 4, and Red Hat Update Infrastructure 5. All of these incorporate the vulnerable GnuTLS library and are susceptible.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium severity range. The EPSS score is below 1%, indicating a very low probability of exploitation in the wild as of now, and the vulnerability is not listed in CISA's KEV catalog. Nevertheless, an attacker could trigger the denial of service by presenting a malicious certificate during a TLS handshake, a remote path that is typically available to networked clients. The exploit would require the target to load the vulnerable GnuTLS library, which is present in most of the listed Red Hat products.

Generated by OpenCVE AI on April 20, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Red Hat package updates RHSA‑2026:3477 and related errata to upgrade GnuTLS to the fixed release.
  • After updating, restart all services that use GnuTLS, such as web servers, database connectors, and certificate verification components, to load the patched library.
  • If a patch cannot be applied immediately, restrict inbound TLS traffic to trusted clients or temporarily disable services that use the vulnerable library until the update is available.

Generated by OpenCVE AI on April 20, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4492-1 gnutls28 security update
Debian DSA Debian DSA DSA-6140-1 gnutls28 security update
Ubuntu USN Ubuntu USN USN-8043-1 GnuTLS vulnerabilities
History

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 17 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
References

Fri, 17 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:ai_inference_server:3.3::el9
References

Thu, 09 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ai Inference Server
CPEs cpe:/a:redhat:ai_inference_server:3.2::el9
Vendors & Products Redhat ai Inference Server
References

Thu, 09 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat discovery
CPEs cpe:/a:redhat:discovery:2::el9
Vendors & Products Redhat discovery
References

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Tue, 07 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/o:redhat:rhel_eus:9.4::baseos
References

Tue, 07 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/o:redhat:rhel_e4s:9.2::baseos
Vendors & Products Redhat rhel E4s
References

Mon, 06 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
References

Mon, 06 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/o:redhat:rhel_eus:9.6::baseos
Vendors & Products Redhat rhel Eus
References

Tue, 24 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/o:redhat:enterprise_linux:8::baseos
References

Tue, 24 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ceph Storage
CPEs cpe:/a:redhat:ceph_storage:8::el9
Vendors & Products Redhat ceph Storage
References

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhui
CPEs cpe:/a:redhat:rhui:5::el9
Vendors & Products Redhat rhui
References

Mon, 16 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat insights Proxy
CPEs cpe:/a:redhat:insights_proxy:1.5::el9
Vendors & Products Redhat insights Proxy
References

Thu, 12 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
References

Mon, 02 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.1
References

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Red Hat
Red Hat enterprise Linux
Redhat openshift Container Platform
Vendors & Products Red Hat
Red Hat enterprise Linux
Redhat openshift Container Platform

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).
Title Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-407
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Red Hat Enterprise Linux
Redhat Ai Inference Server Ceph Storage Discovery Enterprise Linux Enterprise Linux Eus Hummingbird Insights Proxy Openshift Openshift Container Platform Rhel E4s Rhel Eus Rhui
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-22T18:11:46.921Z

Reserved: 2025-12-17T14:44:59.859Z

Link: CVE-2025-14831

cve-icon Vulnrichment

Updated: 2026-02-09T15:25:52.476Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T15:16:09.937

Modified: 2026-04-22T19:16:59.630

Link: CVE-2025-14831

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-09T14:26:34Z

Links: CVE-2025-14831 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses