CVE-2026-42009
Modified Modified - Updated After Analysis

DTLS Packet Reordering Flaw in GnuTLS Leads to DoS

Publication date: 2026-05-18

Last updated on: 2026-06-29

Assigner: Red Hat, Inc.

Description
A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-18
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-28
NVD
CVE-2026-42009

Affected Vendors & Products

Showing 43 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
gnu gnutls *
redhat openshift_container_platform 4.0
redhat hardened_images *
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
redhat enterprise_linux 8.0
redhat enterprise_linux 8.0
redhat enterprise_linux_for_els 8.10
redhat enterprise_linux_for_els 8.10
redhat enterprise_linux_for_ibm_z_systems_els 8.10
redhat enterprise_linux_for_power_little_endian_els 8.10
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
redhat enterprise_linux 9.0
redhat enterprise_linux 9.0
redhat enterprise_linux 9.8
redhat enterprise_linux_for_els 9.8
redhat enterprise_linux_for_els 9.8
redhat enterprise_linux_for_eus 9.8
redhat enterprise_linux_for_eus 9.8
redhat enterprise_linux_for_ibm_z_systems_els 9.8
redhat enterprise_linux_for_ibm_z_systems_eus 9.8
redhat enterprise_linux_for_power_little_endian_els 9.8
redhat enterprise_linux_for_power_little_endian_eus 9.8
redhat enterprise_linux_for_update_services_for_sap_solutions 9.8
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.8
redhat enterprise_linux 10.0
redhat enterprise_linux 10.2
redhat enterprise_linux_for_els 10.2
redhat enterprise_linux_for_eus 10.2
redhat enterprise_linux_for_ibm_z_systems 10.2
redhat enterprise_linux_for_ibm_z_systems_els 10.2
redhat enterprise_linux_for_ibm_z_systems_eus 10.2
redhat enterprise_linux_for_power_little_endian 10.0
redhat enterprise_linux_for_power_little_endian 10.2
redhat enterprise_linux 10.0
redhat enterprise_linux 10.2
redhat enterprise_linux_for_els 10.2
redhat enterprise_linux_for_eus 10.2
redhat enterprise_linux_for_power_little_endian_els 10.2
redhat enterprise_linux_for_power_little_endian_eus 10.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-475 The behavior of this function is undefined unless its control parameter is set to a specific value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in GnuTLS, specifically in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function responsible for ordering DTLS packets by their sequence numbers does not correctly handle packets that have duplicate sequence numbers. This improper handling violates the expected behavior of the sorting function, leading to unstable packet ordering or undefined behavior.

As a result, an attacker can exploit this flaw remotely to cause a denial of service (DoS) by disrupting the normal processing of DTLS packets.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker can remotely exploit the flaw to cause unstable or undefined behavior in the DTLS packet processing, which can disrupt or crash services relying on GnuTLS for secure communications.

This can lead to service outages or interruptions on affected Linux systems using GnuTLS, potentially affecting availability of applications or services that depend on DTLS.

Mitigation Strategies

To mitigate this vulnerability, ensure that your GnuTLS package is updated to a version where the comparator function for DTLS packets has been fixed. The fix involves stabilizing the packet sorting by returning 0 for duplicate sequence numbers and discarding packets with the same sequence numbers but differing handshake types.

Since this vulnerability affects all Linux systems using GnuTLS, applying the vendor-provided patches or updates as soon as they become available is critical to prevent denial of service attacks.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart