You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
gnutls
About this tag
GnuTLS is an open-source TLS/SSL library widely used in Linux distributions, appliances, and administration tools. Recent threads on WindowsForum.com cover multiple CVEs affecting GnuTLS, including denial-of-service flaws (CVE-2024-0567, CVE-2024-28835, CVE-2025-6395), a heap-buffer-overflow (CVE-2025-32990), and a double-free vulnerability (CVE-2025-32988). These vulnerabilities can be triggered by crafted certificates or template parsing, leading to crashes, memory corruption, or DoS. Discussions also address Microsoft's Azure Linux attestation for some CVEs and the broader supply-chain risk for products linking against vulnerable GnuTLS. Patching and rebuilding binaries are emphasized as critical steps.
Microsoft’s Security Update Guide entry for CVE-2026-42012 describes a GnuTLS certificate-validation bypass, published in late May 2026, in which certificates carrying URI or SRV Subject Alternative Names can be mishandled and accepted through a fallback to Common Name hostname checks in...
A subtle bug in GnuTLS’s certificate-chain handling can be forced into crashing the library when presented with a specially crafted chain that uses distributed trust — a denial-of-service flaw tracked as CVE-2024-0567 that affected upstream releases before a patch was shipped and has since been...
A newly published vulnerability in GnuTLS — tracked as CVE-2025-6395 — allows a remote attacker to trigger a NULL pointer dereference in the library’s _gnutls_figure_common_ciphersuite() routine, producing memory corruption and reliable denial‑of‑service (DoS) outcomes for processes that parse...
GnuTLS’s certtool template-parsing bug tracked as CVE-2025-32990 is real and was mapped by Microsoft to its Azure Linux product family — but the simple sentence on the MSRC CVE page does not mean Azure Linux is the only Microsoft artifact that can contain GnuTLS. Microsoft’s wording is a...
A double‑free in GnuTLS’s Subject Alternative Name export logic — tracked as CVE‑2025‑32988 — can be triggered by a crafted certificate containing an otherName SAN with a malformed type‑id OID, allowing the library to free the same ASN.1 node twice (via asn1_delete_structure()), which in real...
The short answer is: Microsoft has publicly attested that the Azure Linux distribution includes the vulnerable GnuTLS component for CVE‑2025‑32989, but that attestation is product‑scoped — it is not proof that no other Microsoft product or image can include the same upstream library. In...
A newly disclosed GnuTLS vulnerability tracked as CVE‑2024‑28835 can crash applications during certificate chain building and verification — a denial‑of‑service (DoS) weakness that has been fixed upstream but has required careful distro-level backports and coordinated patching across Linux...