CVE-2026-1584
NULL Pointer Dereference in GnuTLS TLS Handshake Causes DoS
Publication date: 2026-04-09
Last updated on: 2026-05-03
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnu | gnutls | * |
| redhat | hardened_images | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-1584 is a remote Denial of Service (DoS) vulnerability in gnutls caused by a NULL pointer dereference triggered by a malicious TLS client.
The issue occurs when the server processes a specially crafted ClientHello message containing an invalid Pre-Shared Key (PSK) binder value during the TLS handshake.
Specifically, during PSK binder verification, the server-side code fails to properly handle a NULL return from a function that obtains PSK credentials, leading to a NULL pointer dereference.
This causes the server to crash, resulting in a remote Denial of Service condition.
How can this vulnerability impact me? :
This vulnerability allows a remote, unauthenticated attacker to crash a gnutls-based TLS server by sending a malformed ClientHello message with an invalid PSK binder.
The impact is a remote Denial of Service (DoS), meaning the server becomes unavailable to legitimate users until it is restarted or recovers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or Denial of Service (DoS) conditions on gnutls-based TLS servers triggered by malformed ClientHello messages containing invalid Pre-Shared Key (PSK) binder values.
Since the issue is caused by a specially crafted ClientHello message with an invalid PSK binder, detection involves capturing and analyzing TLS handshake messages to identify such malformed ClientHello packets.
Commands to detect this may include using network packet capture tools like tcpdump or Wireshark to filter and inspect ClientHello messages for abnormal PSK binder values.
- Use tcpdump to capture TLS ClientHello messages: tcpdump -i <interface> -w capture.pcap 'tcp port 443'
- Analyze the capture with Wireshark to inspect ClientHello messages and PSK binder extensions for invalid or malformed values.
Additionally, monitoring server logs for unexpected crashes or core dumps related to gnutls can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating or patching the gnutls library to a version where this vulnerability is fixed.
Since the vulnerability is caused by improper handling of invalid PSK binders during the TLS handshake, disabling or restricting the use of Pre-Shared Key (PSK) extensions on the server side can reduce exposure until a patch is applied.
Monitoring and blocking suspicious TLS ClientHello messages with malformed PSK binders at the network perimeter using intrusion detection or prevention systems can also help mitigate attacks.
Finally, ensure that server logs and monitoring systems are configured to detect and alert on crashes or unusual TLS handshake failures.