Packages
- gnutls28 - GNU TLS library
Details
Joshua Rogers discovered that GnuTLS did not properly handle malformed
DTLS handshake fragments in certain cases. A remote attacker could
possibly use this issue to obtain sensitive information, or cause a
denial of service. (CVE-2026-33845)
Haruto Kimura, Oscar Reparaz, and Zou Dikai discovered that GnuTLS did
not properly validate DTLS handshake fragment lengths in certain cases. A
remote attacker could possibly use this issue to cause GnuTLS to crash,
resulting in a denial of service, or execute arbitrary code.
(CVE-2026-33846)
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly
validate OCSP responses in certain cases. A remote attacker could
possibly use this issue to bypass certificate revocation checks, leading
to a machine-in-the-middle attack. (CVE-2026-3832)
Oleh Konko and...
Joshua Rogers discovered that GnuTLS did not properly handle malformed
DTLS handshake fragments in certain cases. A remote attacker could
possibly use this issue to obtain sensitive information, or cause a
denial of service. (CVE-2026-33845)
Haruto Kimura, Oscar Reparaz, and Zou Dikai discovered that GnuTLS did
not properly validate DTLS handshake fragment lengths in certain cases. A
remote attacker could possibly use this issue to cause GnuTLS to crash,
resulting in a denial of service, or execute arbitrary code.
(CVE-2026-33846)
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly
validate OCSP responses in certain cases. A remote attacker could
possibly use this issue to bypass certificate revocation checks, leading
to a machine-in-the-middle attack. (CVE-2026-3832)
Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly
handle case-insensitive name constraints in certain cases. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-3833)
Joshua Rogers discovered that GnuTLS did not properly order DTLS packets
with duplicate sequence numbers in certain cases. A remote attacker could
possibly use this issue to cause GnuTLS to crash, resulting in a denial
of service. (CVE-2026-42009)
Joshua Rogers discovered that GnuTLS did not properly handle usernames
containing NUL characters in certain RSA-PSK configurations. A remote
attacker could possibly use this issue to bypass authentication and gain
unintended access to services. (CVE-2026-42010)
Haruto Kimura discovered that GnuTLS did not properly apply permitted
name constraints in certain certificate validation paths. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42011)
Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name
checks for certain URI and SRV subject alternative names. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42012)
Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell
back to Common Name checks when subject alternative names were oversized.
A remote attacker could possibly use this issue to bypass certificate
validation, leading to a machine-in-the-middle attack. (CVE-2026-42013)
Luigino Camastra and Joshua Rogers discovered that GnuTLS had a
use-after-free issue when changing PKCS#11 token security officer PINs in
certain cases. An attacker could possibly use this issue to cause GnuTLS
to crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2026-42014)
Zou Dikai discovered that GnuTLS did not properly validate PKCS#12 bag
sizes in certain cases. An attacker could possibly use this issue to
cause GnuTLS to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-42015)
Joshua Rogers discovered that GnuTLS did not properly handle very short
premaster secrets in certain RSA key exchange cases with PKCS#11-backed
server keys. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-5260)
Doria Tang discovered that GnuTLS did not perform PKCS#7 padding checks
in constant time in certain cases. A remote attacker could possibly use
this issue to obtain sensitive information. This issue only affected
Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-5419)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 26.04 LTS resolute | libgnutls30t64 – 3.8.12-2ubuntu1.1 | ||
| 25.10 questing | libgnutls30t64 – 3.8.9-3ubuntu2.2 | ||
| 24.04 LTS noble | libgnutls30t64 – 3.8.3-1.1ubuntu3.6 | ||
| 22.04 LTS jammy | libgnutls30 – 3.7.3-4ubuntu1.9 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.
References
- CVE-2026-5419
- CVE-2026-5260
- CVE-2026-42015
- CVE-2026-42014
- CVE-2026-42013
- CVE-2026-42012
- CVE-2026-42011
- CVE-2026-42010
- CVE-2026-42009
- CVE-2026-3833
- CVE-2026-5419
- CVE-2026-5260
- CVE-2026-42015
- CVE-2026-42014
- CVE-2026-42013
- CVE-2026-42012
- CVE-2026-42011
- CVE-2026-42010
- CVE-2026-42009
- CVE-2026-3833
- CVE-2026-3832
- CVE-2026-33846
- CVE-2026-33845