https://feed.craftedsignal.io/tags/gnutls/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 18:16:28 +0000https://feed.craftedsignal.io/briefs/2026-04-gnutls-dtls-flaw/Thu, 30 Apr 2026 18:16:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-gnutls-dtls-flaw/A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read, potentially causing information disclosure or denial of service.CVE-2026-33845 describes a vulnerability in the GnuTLS library related to the parsing of DTLS handshake fragments. The vulnerability stems from improper handling of malformed fragments that have a zero length but a non-zero offset. This leads to an integer underflow during the reassembly process, which then triggers an out-of-bounds read. The vulnerability is remotely exploitable, meaning an attacker could potentially trigger it without needing local access. Successful exploitation can lead to information disclosure or a denial-of-service condition. The affected component is the GnuTLS library, which is used by various applications for secure communication.

Attack Chain

1. An attacker crafts a malicious DTLS handshake fragment with a zero length and non-zero offset.
2. The attacker sends the malformed DTLS handshake fragment to a vulnerable GnuTLS server.
3. The GnuTLS library receives the fragment and begins the reassembly process.
4. The integer underflow occurs when calculating the correct offset for the fragment reassembly.
5. The integer underflow leads to an out-of-bounds memory read operation.
6. The out-of-bounds read allows the attacker to potentially read sensitive information from the server’s memory.
7. Alternatively, the out-of-bounds read may cause the server to crash, resulting in a denial-of-service.
8. The attacker achieves either information disclosure or denial-of-service based on the server’s response to the out-of-bounds read.

Impact

Successful exploitation of CVE-2026-33845 can lead to a denial-of-service condition, impacting the availability of services relying on the vulnerable GnuTLS library. The out-of-bounds read can also potentially expose sensitive information from the server’s memory, leading to data breaches. Given the widespread use of GnuTLS in various applications, a successful widespread attack could affect numerous organizations and users.

Recommendation

• Apply available patches for GnuTLS provided by Red Hat or other vendors to address CVE-2026-33845.
• Monitor network traffic for malformed DTLS handshake fragments with zero length and non-zero offset that may indicate exploitation attempts targeting CVE-2026-33845.
• Deploy the Sigma rule DetectGnuTLSDTLSMalformedFragment to identify suspicious network connections associated with the vulnerability.

]]>highadvisorycvedenial-of-serviceinformation-disclosuregnutlshttps://feed.craftedsignal.io/briefs/2026-04-gnutls-dos/Thu, 09 Apr 2026 18:16:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-gnutls-dos/A remote, unauthenticated attacker can exploit CVE-2026-1584 in gnutls by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake, leading to a NULL pointer dereference and a denial-of-service condition.CVE-2026-1584 is a vulnerability found in the gnutls library, a widely used implementation of the TLS protocol. This vulnerability allows an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition on a server utilizing a vulnerable version of gnutls. The attack involves sending a specially crafted TLS ClientHello message containing an invalid Pre-Shared Key (PSK) binder value. This malformed message triggers a NULL pointer dereference within the gnutls library, leading to a server crash. The vulnerability was reported on April 9, 2026, and affects systems using gnutls for TLS communication. This vulnerability poses a significant risk to services relying on gnutls for secure communication, potentially disrupting availability and impacting users.

Attack Chain

1. Attacker identifies a server utilizing a vulnerable version of gnutls.
2. Attacker crafts a TLS ClientHello message.
3. Attacker modifies the ClientHello message to include an invalid Pre-Shared Key (PSK) binder value.
4. Attacker sends the crafted ClientHello message to the target server.
5. The server’s gnutls library processes the malformed ClientHello message.
6. Due to the invalid PSK binder, a NULL pointer dereference occurs within gnutls.
7. The NULL pointer dereference causes the gnutls process to crash.
8. The server becomes unavailable, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-1584 leads to a denial-of-service condition, rendering the affected server unavailable. The impact is service disruption for any application relying on the vulnerable gnutls instance. There is no specific victim count available; however, any server using a vulnerable version of gnutls is susceptible. The vulnerable software is used across multiple sectors, including web servers, mail servers, and VPN gateways. A successful attack disrupts TLS communication, preventing users from accessing services.

Recommendation

• Monitor network traffic for malformed TLS ClientHello messages containing invalid PSK binder values to detect potential exploitation attempts. (See Sigma rule “Detect Malformed TLS ClientHello with Invalid PSK Binder”)
• Upgrade to a patched version of gnutls that addresses CVE-2026-1584 to remediate the vulnerability.
• Implement rate limiting on TLS connections to mitigate the impact of DoS attacks.
• Enable verbose logging on TLS connections to aid in the detection and analysis of exploitation attempts (e.g., webserver logs).

]]>highadvisorycve-2026-1584denial-of-servicegnutlshttps://feed.craftedsignal.io/briefs/2024-01-03-gnutls-dtls-overflow/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-gnutls-dtls-overflow/A heap buffer overflow vulnerability, CVE-2026-33846, exists in the DTLS handshake fragment reassembly logic of GnuTLS, allowing unauthenticated remote attackers to cause application crashes or potential memory corruption by sending crafted DTLS fragments with conflicting message lengths.A heap buffer overflow vulnerability has been identified in the DTLS handshake fragment reassembly logic of GnuTLS. The vulnerability, tracked as CVE-2026-33846, resides within the merge_handshake_packet() function. This function is responsible for matching and merging incoming DTLS handshake fragments. The core issue is the lack of validation for the message_length field across different fragments belonging to the same logical message. An attacker can exploit this flaw by transmitting malicious DTLS fragments that contain inconsistent message_length values. This inconsistency leads the GnuTLS implementation to allocate a buffer based on a smaller, initial fragment but subsequently attempts to write data beyond the allocated buffer’s boundaries using the larger, conflicting fragments. This out-of-bounds write on the heap can be triggered remotely without requiring any form of authentication, making it a critical vulnerability. Successful exploitation can lead to application crashes or, potentially, arbitrary memory corruption.

Attack Chain

1. Attacker initiates a DTLS handshake with a vulnerable GnuTLS server.
2. The attacker sends a first DTLS handshake fragment with a small message_length value.
3. The vulnerable merge_handshake_packet() function allocates a heap buffer based on the initial, smaller message_length.
4. Attacker sends a subsequent DTLS handshake fragment for the same handshake message with a larger, inconsistent message_length value.
5. merge_handshake_packet() incorrectly merges the second fragment into the allocated buffer without proper bounds checking.
6. The write operation overflows the allocated heap buffer, corrupting adjacent memory.
7. The application crashes due to memory corruption, or the attacker potentially gains further control.

Impact

Successful exploitation of CVE-2026-33846 can lead to denial-of-service conditions due to application crashes. Memory corruption could allow for arbitrary code execution, but this is a less likely outcome. Given the widespread use of GnuTLS in various applications and systems, a large number of services could be impacted.

Recommendation

• Monitor network traffic for DTLS handshakes with inconsistent message_length values in fragmented handshake messages using the provided Sigma rule Detect DTLS Handshake Fragment Length Mismatch.
• Apply available patches from GnuTLS to remediate CVE-2026-33846.
• Implement rate limiting for DTLS handshake requests to mitigate potential denial-of-service attacks.

]]>highadvisorycve-2026-33846dtlsheap overflowgnutlsnetwork