Alpine: multiple gnutls packages: security update to 3.8.12-r0

high Tenable Cloud Security Plugin ID 437944

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic
within the certtool utility. When it reads certain settings from a template file, it allows an attacker to
cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service
(DoS) that could potentially crash the system. (CVE-2025-32990)

- A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient
algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to
increased resource consumption. This flaw allows a remote attacker to send a specially crafted
certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.
(CVE-2024-12243)

- A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().
(CVE-2025-6395)

- A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that
handles PKCS#11 token initialization. When a token label longer than expected is processed, the function
writes past the end of a fixed-size stack buffer. This programming error can cause the application using
GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or
applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation
attacks. (CVE-2025-9820)

- A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central
Processing Unit) and memory consumption via specially crafted malicious certificates containing a large
number of name constraints and subject alternative names (SANs). (CVE-2025-14831)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-12243

https://security.alpinelinux.org/vuln/CVE-2025-14831

https://security.alpinelinux.org/vuln/CVE-2025-32988

https://security.alpinelinux.org/vuln/CVE-2025-32989

https://security.alpinelinux.org/vuln/CVE-2025-32990

https://security.alpinelinux.org/vuln/CVE-2025-6395

https://security.alpinelinux.org/vuln/CVE-2025-9820

https://security.alpinelinux.org/vuln/CVE-2026-1584

Plugin Details

Severity: High

ID: 437944

Version: Revision 1.3

Type: Local

Published: 2/24/2026

Updated: 4/15/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

Percentile: 96.46

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2025-32990

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/10/2025

Reference Information

CVE: CVE-2024-12243, CVE-2025-14831, CVE-2025-32988, CVE-2025-32989, CVE-2025-32990, CVE-2025-6395, CVE-2025-9820, CVE-2026-1584

IAVA: 2025-A-0879-S, 2026-A-0147