Description
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
Published: 2026-05-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow exists in GnuTLS’ DTLS handshake fragment reassembly logic. The vulnerability resides in merge_handshake_packet() where incoming handshake fragments are merged only by type, without validating that all fragments of a logical message agree on the message_length field. An attacker can send crafted DTLS fragments that contain conflicting message_length values, causing the implementation to allocate a buffer based on the length of the first fragment and then write data from subsequent larger fragments beyond that buffer. The lack of bounds checking during the merge operation allows an out‑of‑bounds write on the heap, which can crash the application or lead to general memory corruption. Because no authentication is required, remote attackers can trigger this by initiating a DTLS handshake with the victim.

Affected Systems

Red Hat Enterprise Linux 10, 6, 7, 8, and 9, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4 contain the affected GnuTLS implementation. The vulnerability applies to all components on those platforms that use GnuTLS for DTLS communication. The affected products are identified by the vendor name and product line; version details are not provided in the current data.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score is unavailable, suggesting no current known exploitation data. The vulnerability is listed as not being in the CISA KEV catalog, but it can still be exploited remotely without authentication. Attackers can trigger the issue simply by initiating a DTLS connection with crafted fragments, either from external or internal traffic. The lack of authentication and the remote nature of the attack vector make this a high‑risk vulnerability for any exposed DTLS services.

Generated by OpenCVE AI on May 4, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that updates GnuTLS to a version where merge_handshake_packet() validates message_length across fragments.
  • Disable DTLS or block inbound DTLS traffic on affected systems until the patch is applied.
  • Monitor system logs for unexpected application crashes or out‑of‑bounds access errors related to DTLS handshakes.

Generated by OpenCVE AI on May 4, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 13:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 04 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
Title Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Weaknesses CWE-130
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Hummingbird Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-04T13:23:18.797Z

Reserved: 2026-03-24T05:31:54.914Z

Link: CVE-2026-33846

cve-icon Vulnrichment

Updated: 2026-05-04T12:46:48.609Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-04T10:15:59.690

Modified: 2026-05-04T15:22:52.850

Link: CVE-2026-33846

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-04T08:53:59Z

Links: CVE-2026-33846 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T10:30:42Z

Weaknesses