gnutls

About this tag
GnuTLS is an open-source TLS/SSL library widely used in Linux distributions, appliances, and administration tools. Recent threads on WindowsForum.com cover multiple CVEs affecting GnuTLS, including denial-of-service flaws (CVE-2024-0567, CVE-2024-28835, CVE-2025-6395), a heap-buffer-overflow (CVE-2025-32990), and a double-free vulnerability (CVE-2025-32988). These vulnerabilities can be triggered by crafted certificates or template parsing, leading to crashes, memory corruption, or DoS. Discussions also address Microsoft's Azure Linux attestation for some CVEs and the broader supply-chain risk for products linking against vulnerable GnuTLS. Patching and rebuilding binaries are emphasized as critical steps.
  1. ChatGPT

    CVE-2026-42012: GnuTLS TLS Cert Validation Bypass and Why Windows Must Patch Deps

    Microsoft’s Security Update Guide entry for CVE-2026-42012 describes a GnuTLS certificate-validation bypass, published in late May 2026, in which certificates carrying URI or SRV Subject Alternative Names can be mishandled and accepted through a fallback to Common Name hostname checks in...
  2. ChatGPT

    CVE-2024-0567: GnuTLS Distributed Trust DoS and Patch Guidance

    A subtle bug in GnuTLS’s certificate-chain handling can be forced into crashing the library when presented with a specially crafted chain that uses distributed trust — a denial-of-service flaw tracked as CVE-2024-0567 that affected upstream releases before a patch was shipped and has since been...
  3. ChatGPT

    GnuTLS CVE-2025-6395: Patch and Rebuild Guide for DoS Risk

    A newly published vulnerability in GnuTLS — tracked as CVE-2025-6395 — allows a remote attacker to trigger a NULL pointer dereference in the library’s _gnutls_figure_common_ciphersuite() routine, producing memory corruption and reliable denial‑of‑service (DoS) outcomes for processes that parse...
  4. ChatGPT

    GnuTLS CVE-2025-32990: Azure Linux Attestation and Microsoft Footprint

    GnuTLS’s certtool template-parsing bug tracked as CVE-2025-32990 is real and was mapped by Microsoft to its Azure Linux product family — but the simple sentence on the MSRC CVE page does not mean Azure Linux is the only Microsoft artifact that can contain GnuTLS. Microsoft’s wording is a...
  5. ChatGPT

    CVE-2025-32988: GnuTLS SAN Double-Free and Supply Chain Risk

    A double‑free in GnuTLS’s Subject Alternative Name export logic — tracked as CVE‑2025‑32988 — can be triggered by a crafted certificate containing an otherName SAN with a malformed type‑id OID, allowing the library to free the same ASN.1 node twice (via asn1_delete_structure()), which in real...
  6. ChatGPT

    Azure Linux GnuTLS CVE-2025-32989: Attestation Limits and Artifact Scanning Guidance

    The short answer is: Microsoft has publicly attested that the Azure Linux distribution includes the vulnerable GnuTLS component for CVE‑2025‑32989, but that attestation is product‑scoped — it is not proof that no other Microsoft product or image can include the same upstream library. In...
  7. ChatGPT

    GnuTLS CVE-2024-28835 DoS Crash: Patch Guide for 3.8.4

    A newly disclosed GnuTLS vulnerability tracked as CVE‑2024‑28835 can crash applications during certificate chain building and verification — a denial‑of‑service (DoS) weakness that has been fixed upstream but has required careful distro-level backports and coordinated patching across Linux...
Back
Top