CVE-2026-33846

Summary

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Enterprise Linux 100:3.8.10-4.el10_2 < *unaffected
Red HatRed Hat Enterprise Linux 10.0 Extended Update Support0:3.8.9-9.el10_0.19 < *unaffected
Red HatRed Hat Enterprise Linux 7 Extended Lifecycle Support0:3.3.29-9.el7_9.1 < *unaffected
Red HatRed Hat Enterprise Linux 80:3.6.16-8.el8_10.6 < *unaffected
Red HatRed Hat Enterprise Linux 80:3.6.16-8.el8_10.6 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support0:3.6.14-10.el8_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support0:4.13-3.el8_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On0:3.6.14-10.el8_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On0:4.13-3.el8_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support0:3.6.16-5.el8_6.5 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support0:4.13-3.el8_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On0:3.6.16-5.el8_6.5 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On0:4.13-3.el8_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Telecommunications Update Service0:3.6.16-7.el8_8.4 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Telecommunications Update Service0:4.13-4.el8_8.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutions0:3.6.16-7.el8_8.4 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutions0:4.13-4.el8_8.1 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.8.10-4.el9_8 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.8.10-4.el9_8 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Update Services for SAP Solutions0:3.8.3-4.el9_4.6 < *unaffected
Red HatRed Hat Enterprise Linux 9.6 Extended Update Support0:3.8.3-6.el9_6.4 < *unaffected
Red HatRed Hat Discovery 21782159791 < *unaffected
Red HatRed Hat Discovery 21782166952 < *unaffected
Red HatRed Hat Hardened Images3.8.13-1.hum1 < *unaffected
Red HatRed Hat Update Infrastructure 51781525684 < *unaffected
Red HatRed Hat Update Infrastructure 51781525671 < *unaffected
Red HatRed Hat Update Infrastructure 51781525693 < *unaffected
Red HatRed Hat Update Infrastructure 51781525739 < *unaffected

Weaknesses

  • CWE-130: Improper Handling of Length Parameter Inconsistency

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

gnutls: GnuTLS: Denial of Service via heap buffer overflow in DTLS handshake fragment reassembly

Additional References

References