CVE-2026-5419

Summary

A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Enterprise Linux 100:3.8.10-4.el10_2 < *unaffected
Red HatRed Hat Enterprise Linux 10.0 Extended Update Support0:3.8.9-9.el10_0.19 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.8.10-4.el9_8 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.8.10-4.el9_8 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Update Services for SAP Solutions0:3.8.3-4.el9_4.6 < *unaffected
Red HatRed Hat Enterprise Linux 9.6 Extended Update Support0:3.8.3-6.el9_6.4 < *unaffected
Red HatRed Hat Discovery 21782159791 < *unaffected
Red HatRed Hat Discovery 21782166952 < *unaffected
Red HatRed Hat Update Infrastructure 51781525684 < *unaffected
Red HatRed Hat Update Infrastructure 51781525671 < *unaffected
Red HatRed Hat Update Infrastructure 51781525693 < *unaffected
Red HatRed Hat Update Infrastructure 51781525739 < *unaffected

Weaknesses

  • CWE-208: Observable Timing Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References