CVE-2026-33846
Awaiting Analysis Awaiting Analysis - Queue
Heap Buffer Overflow in GnuTLS DTLS Fragment Reassembly

Publication date: 2026-05-04

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33846
EUVD
EUVD-2026-26926
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnutls gnutls to 3.6.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap buffer overflow in the DTLS handshake fragment reassembly logic of GnuTLS. It occurs because the function that merges handshake fragments only checks the handshake type but does not verify that the message_length field is consistent across all fragments of the same message. An attacker can send specially crafted DTLS fragments with conflicting message_length values, causing the program to allocate a buffer based on a smaller fragment and then write beyond that buffer when processing larger fragments. This leads to an out-of-bounds write on the heap.

The vulnerability can be exploited remotely without authentication during the DTLS handshake, potentially causing application crashes or memory corruption.

Impact Analysis

This vulnerability can be exploited to cause a Denial of Service (DoS) by crashing applications that use GnuTLS for DTLS connections. Because it involves a heap buffer overflow, it may also lead to memory corruption, which could potentially be leveraged for further attacks, although no direct impact on confidentiality or integrity is indicated.

Since the vulnerability is remotely exploitable without authentication, any system using vulnerable versions of GnuTLS is at risk of being disrupted by an attacker sending malicious DTLS handshake fragments.

Mitigation Strategies

Currently, there is no official fix released for this vulnerability.

Since the vulnerability allows remote exploitation via the DTLS handshake, immediate mitigation steps include limiting or blocking DTLS traffic to affected systems where possible to reduce exposure.

Monitoring for unusual crashes or memory corruption in applications using GnuTLS may help detect exploitation attempts.

Stay updated with Red Hat Product Security announcements for patches or updates addressing this issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart