CVE-2026-5260
Heap Overread in GnuTLS via Short RSA Premaster Secret
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnutls | libgnutls | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in libgnutls, where a remote attacker can send an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token. This action triggers a short heap overread, which is a type of memory corruption.
The result of this memory corruption is potential information disclosure.
How can this vulnerability impact me? :
The vulnerability can lead to information disclosure due to memory corruption caused by a short heap overread.
Because the attack can be performed remotely without any privileges or user interaction, it poses a significant security risk.
The CVSS score of 8.2 indicates a high severity, with impact primarily on confidentiality and availability.