CVE-2026-42009
DTLS Packet Reordering Flaw in GnuTLS Leads to DoS
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnutls | gnutls | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-475 | The behavior of this function is undefined unless its control parameter is set to a specific value. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in GnuTLS, specifically in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function responsible for ordering DTLS packets by their sequence numbers does not correctly handle packets that have duplicate sequence numbers. This improper handling violates the expected behavior of the sorting function, leading to unstable packet ordering or undefined behavior.
As a result, an attacker can exploit this flaw remotely to cause a denial of service (DoS) by disrupting the normal processing of DTLS packets.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker can remotely exploit the flaw to cause unstable or undefined behavior in the DTLS packet processing, which can disrupt or crash services relying on GnuTLS for secure communications.
This can lead to service outages or interruptions on affected Linux systems using GnuTLS, potentially affecting availability of applications or services that depend on DTLS.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that your GnuTLS package is updated to a version where the comparator function for DTLS packets has been fixed. The fix involves stabilizing the packet sorting by returning 0 for duplicate sequence numbers and discarding packets with the same sequence numbers but differing handshake types.
Since this vulnerability affects all Linux systems using GnuTLS, applying the vendor-provided patches or updates as soon as they become available is critical to prevent denial of service attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.