CVE-2026-33846

HIGH

Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly

Title source: cna
STIX 2.1

Description

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

References (19)

Core 19
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:20612
https://access.redhat.com/errata/RHSA-2026:20612
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2026:20613
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:26319
https://access.redhat.com/errata/RHSA-2026:26319
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:26409
https://access.redhat.com/errata/RHSA-2026:26409
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:29197
https://access.redhat.com/errata/RHSA-2026:29197
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:30004
https://access.redhat.com/errata/RHSA-2026:30004
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:30849
https://access.redhat.com/errata/RHSA-2026:30849
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:30850
https://access.redhat.com/errata/RHSA-2026:30850
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:32962
https://access.redhat.com/errata/RHSA-2026:32962
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:33125
https://access.redhat.com/errata/RHSA-2026:33125
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:34372
https://access.redhat.com/errata/RHSA-2026:34372
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:13274
https://access.redhat.com/errata/RHSA-2026:13274
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-33846
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2450625
https://bugzilla.redhat.com/show_bug.cgi?id=2450625
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:36004
https://access.redhat.com/errata/RHSA-2026:36004
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:36005
https://access.redhat.com/errata/RHSA-2026:36005
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:36006
https://access.redhat.com/errata/RHSA-2026:36006
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:20611
https://access.redhat.com/errata/RHSA-2026:20611

Scores

CVSS v3 7.5
EPSS 0.0126
EPSS Percentile 66.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-130
Status published
Products (36)
Red Hat/Red Hat AI Inference Server 3.2 1782951012
Red Hat/Red Hat AI Inference Server 3.2 1782951051
Red Hat/Red Hat AI Inference Server 3.2 1782951244
Red Hat/Red Hat Discovery 2 1782159791
Red Hat/Red Hat Discovery 2 1782166952
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 10 0:3.8.10-4.el10_2
Red Hat/Red Hat Enterprise Linux 10.0 Extended Update Support 0:3.8.9-9.el10_0.19
Red Hat/Red Hat Enterprise Linux 6
Red Hat/Red Hat Enterprise Linux 7
... and 26 more
Published May 04, 2026
Tracked Since May 04, 2026