CVE-2026-3832
Modified Modified - Updated After Analysis
OCSP Response Handling Flaw in GnuTLS

Publication date: 2026-04-30

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3832
EUVD
EUVD-2026-26402
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
gnu gnutls *
redhat enterprise_linux 8.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
redhat hardened_images *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-179 The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3832 is a security flaw in GnuTLS related to how it processes Online Certificate Status Protocol (OCSP) responses during a TLS handshake.

When a server presents a multi-record OCSP response, GnuTLS incorrectly reads the certificate status from the first record regardless of which record matches the server certificate.

This means that if the first record indicates a valid certificate but a later record shows the server certificate as revoked, the client may mistakenly accept the revoked certificate.

Impact Analysis

This vulnerability can lead to a security bypass where clients with OCSP verification enabled may accept revoked server certificates.

Accepting a revoked certificate undermines the trust model of TLS, potentially allowing attackers to impersonate servers or intercept encrypted communications.

The impact is considered low severity but can result in compromised trust and security in communications relying on GnuTLS for certificate validation.

Detection Guidance

This vulnerability involves the acceptance of revoked server certificates due to improper OCSP response processing in GnuTLS. Detection involves monitoring TLS handshakes where OCSP stapling is used and verifying if revoked certificates are incorrectly accepted.

You can detect this issue by capturing and analyzing TLS handshake traffic with OCSP stapling enabled, then inspecting the OCSP responses for multi-record responses where the first record indicates a valid certificate but a later record indicates revocation.

Suggested commands include using tools like OpenSSL or GnuTLS utilities to perform OCSP checks manually and verify certificate status, for example:

  • Use OpenSSL to connect and view OCSP stapling response: `openssl s_client -connect <server>:443 -status`
  • Use GnuTLS client debug to check OCSP stapling: `gnutls-cli --print-cert --ocsp --priority NORMAL <server>`

By comparing the OCSP response records and their statuses, you can identify if a revoked certificate is being incorrectly accepted due to the vulnerability.

Mitigation Strategies

Immediate mitigation steps include disabling OCSP verification or OCSP stapling in GnuTLS clients until a patched version is applied.

Alternatively, update GnuTLS to a version where this vulnerability is fixed, which involves correcting the logic to use the matched OCSP record index when checking certificate status.

As a temporary workaround, avoid relying solely on OCSP stapling for certificate revocation checking and consider using CRL (Certificate Revocation Lists) or other revocation mechanisms.

Compliance Impact

This vulnerability in GnuTLS allows a client to incorrectly accept revoked server certificates during TLS handshakes when OCSP verification is enabled. Accepting revoked certificates can undermine the trustworthiness of secure communications, potentially exposing sensitive data to interception or manipulation.

Such a flaw could negatively impact compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate strong protections for data in transit and require the use of valid, trusted certificates to ensure confidentiality and integrity.

By allowing revoked certificates to be accepted, this vulnerability may increase the risk of unauthorized access or data breaches, thereby complicating adherence to these regulatory frameworks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3832. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart