CVE-2025-9820
Buffer Overflow in GnuTLS PKCS#11 Token Causes Crash, Escalation
Publication date: 2026-01-26
Last updated on: 2026-05-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnutls | gnutls | 3.8.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9820 is a stack-based buffer overflow vulnerability in the GnuTLS library's function gnutls_pkcs11_token_init(), which initializes PKCS#11 tokens. The vulnerability occurs because the function copies a token label longer than 32 characters into a fixed-size 32-byte stack buffer without proper bounds checking. This causes a stack overwrite due to the unsafe use of memcpy, potentially leading to application crashes or, under certain conditions, exploitation for arbitrary code execution. The issue arises from copying the entire label length without verifying it fits into the buffer. The vulnerability was fixed by adding a length check to truncate the label copy to the buffer size, preventing overflow. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing applications that use the GnuTLS library to crash (denial of service) if they process a PKCS#11 token with a label longer than 32 characters. In some environments, it may also allow a local attacker to execute arbitrary code or escalate privileges by exploiting the stack overflow. Exploitation requires local access or interaction with a malicious PKCS#11 token. Therefore, systems relying on GnuTLS for cryptographic operations may be vulnerable to denial-of-service attacks or local privilege escalation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system or applications use the GnuTLS library version prior to 3.8.11, which contains the vulnerable gnutls_pkcs11_token_init() function. Specifically, detection involves verifying if PKCS#11 tokens with labels longer than 32 characters are being initialized or processed, as this triggers the overflow. While no explicit detection commands are provided, you can audit your system for GnuTLS versions and monitor applications that interact with PKCS#11 tokens. Additionally, testing with a token label longer than 32 characters (e.g., using the test program 'long-label.c' mentioned in the fix commit) can help identify if the vulnerability is present by observing crashes or abnormal behavior. [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Validating and rejecting PKCS#11 token labels longer than 32 characters in applications using GnuTLS to prevent triggering the overflow. 2) Upgrading the GnuTLS library to version 3.8.11 or later, where the vulnerability is fixed by adding proper bounds checking on the token label copy operation. 3) Optionally, compiling GnuTLS with the -D_FORTIFY_SOURCE=2 flag to add additional buffer overflow protections. These steps reduce the risk of denial-of-service or local privilege escalation attacks caused by this vulnerability. [1, 4]