Description
A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.
Published: 2026-01-26
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential local privilege escalation and denial of service
Action: Apply Patch
AI Analysis

Impact

A stack‑based buffer overflow was discovered in the GnuTLS library function gnutls_pkcs11_token_init(). When a PKCS#11 token label longer than the expected fixed size is processed, the function writes past the end of the stack buffer, which can crash the application or, under certain conditions, allow arbitrary code execution. The vulnerability is classified as CWE‑121 and can lead to a denial of service or local privilege escalation when used by applications that rely on GnuTLS for encryption services.

Affected Systems

Red Hat products that incorporate the vulnerable GnuTLS library are affected. The impacted releases include Red Hat Ceph Storage 8, Red Hat Discovery 2, Red Hat Enterprise Linux 10, 6, 7, 8, 9, Red Hat Hardened Images, Red Hat Insights proxy 1.5, Red Hat OpenShift Container Platform 4, and Red Hat Update Infrastructure 5. No specific minor or patch version ranges are supplied; all instances of the vulnerable library or the affected GnuTLS functions are at risk.

Risk and Exploitability

The vulnerability scores a CVSS of 4, indicating moderate severity, while the EPSS score is listed as < 1 % and the flaw is not included in the CISA KEV catalog. The attack vector is most likely local: a user or process with the ability to supply PKCS#11 token labels can trigger the overflow. Exploitation would require successful execution of attacker‑controlled code within the context of the vulnerable application, potentially escalating privileges. Due to the low EPSS probability and lack of remote exposure, the overall immediate risk is moderate but should be mitigated as soon as feasible.

Generated by OpenCVE AI on April 20, 2026 at 16:33 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Applying the upstream patch or vendor-supplied security update is the recommended resolution.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied security update for the affected Red Hat products as released in RHSA‑2026:3477, RHSA‑2026:4188, RHSA‑2026:4655, RHSA‑2026:4943, RHSA‑2026:5585, RHSA‑2026:5606, or RHSA‑2026:7329.
  • In the absence of a vendor patch, apply the upstream GnuTLS patch identified in commit 1d56f96f6ab5034d677136b9d50b5a75dff0faf5 and rebuild affected applications to use the patched library version.
  • If a patch cannot be applied immediately, reconfigure the application to reject token labels exceeding the expected length or disable PKCS#11 functionality if it is not required for the deployment.

Generated by OpenCVE AI on April 20, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4492-1 gnutls28 security update
Debian DSA Debian DSA DSA-6140-1 gnutls28 security update
Ubuntu USN Ubuntu USN USN-8043-1 GnuTLS vulnerabilities
History

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Thu, 09 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat discovery
CPEs cpe:/a:redhat:discovery:2::el9
Vendors & Products Redhat discovery
References

Tue, 24 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/o:redhat:enterprise_linux:8::baseos
References

Tue, 24 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ceph Storage
CPEs cpe:/a:redhat:ceph_storage:8::el9
Vendors & Products Redhat ceph Storage
References

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhui
CPEs cpe:/a:redhat:rhui:5::el9
Vendors & Products Redhat rhui
References

Mon, 16 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat insights Proxy
CPEs cpe:/a:redhat:insights_proxy:1.5::el9
Vendors & Products Redhat insights Proxy
References

Wed, 11 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
References

Mon, 02 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.1
References

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.
Title Gnutls: stack-based buffer overflow in gnutls_pkcs11_token_init() function
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-121
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Redhat Ceph Storage Discovery Enterprise Linux Hummingbird Insights Proxy Openshift Rhui
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-22T01:30:18.539Z

Reserved: 2025-09-02T07:22:32.478Z

Link: CVE-2025-9820

cve-icon Vulnrichment

Updated: 2026-01-26T20:08:12.926Z

cve-icon NVD

Status : Deferred

Published: 2026-01-26T20:16:09.370

Modified: 2026-04-22T02:16:01.607

Link: CVE-2025-9820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses