Описание
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
Отчет
This vulnerability is rated Moderate rather than Important because, although it involves a memory management flaw (double-free) that can potentially lead to memory corruption, practical exploitation is limited by modern memory protection mechanisms and contextual constraints. The issue occurs only when processing malformed SAN otherName entries through public GnuTLS APIs—an uncommon and controlled code path in most deployments. Furthermore, exploitation for arbitrary code execution is highly dependent on allocator behavior and requires precise heap manipulation, which is non-trivial under defenses such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and hardened memory allocators. In the majority of cases, the outcome would be a crash or denial of service rather than a reliable compromise of integrity or confidentiality. Therefore, given its limited attack surface, dependency on crafted input, and the presence of strong runtime mitigations, the impact justifies a Moderate severity classification instead of Important. As such, successfully triggering this vulnerability would require a sophisticated attack vector that is capable of accounting for the many native and deployed security mechanisms designed to detect and contain a double-free condition.
Меры по смягчению последствий
Currently, no mitigation is available for this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | gnutls | Out of support scope | ||
| Red Hat Enterprise Linux 7 | gnutls | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Fix deferred | ||
| Red Hat Enterprise Linux 10 | gnutls | Fixed | RHSA-2025:16115 | 17.09.2025 |
| Red Hat Enterprise Linux 8 | gnutls | Fixed | RHSA-2025:17415 | 07.10.2025 |
| Red Hat Enterprise Linux 8 | gnutls | Fixed | RHSA-2025:17415 | 07.10.2025 |
| Red Hat Enterprise Linux 9 | gnutls | Fixed | RHSA-2025:16116 | 17.09.2025 |
| Red Hat Enterprise Linux 9 | gnutls | Fixed | RHSA-2025:16116 | 17.09.2025 |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | gnutls | Fixed | RHSA-2025:17361 | 06.10.2025 |
| Red Hat Enterprise Linux 9.4 Extended Update Support | gnutls | Fixed | RHSA-2025:17348 | 06.10.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuT ...
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
EPSS
6.5 Medium
CVSS3