CVE-2025-32989

Summary

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

Affected Software

VendorProductVersion RangeStatus
0 < 3.8.10affected
Red HatRed Hat Enterprise Linux 100:3.8.9-9.el10_0.14 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.8.3-6.el9_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.8.3-6.el9_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutions0:3.7.6-21.el9_2.4 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support0:3.8.3-4.el9_4.4 < *unaffected
Red HatRed Hat Ceph Storage 77 < *unaffected
Red HatRed Hat Discovery 22.3.0-1760554384 < *unaffected
Red HatRed Hat Hardened Images3.8.12-1.1.hum1 < *unaffected
Red HatRed Hat Insights proxy 1.51.5.7-1759331989 < *unaffected

Weaknesses

  • CWE-295: Improper Certificate Validation

Workarounds

Currently, no mitigation is available for this vulnerability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

Additional References

References