Detections
Analytics

Debian dla-4595 : gnutls-bin - security update

critical Nessus Plugin ID 316551

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4595 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4595-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin May 22, 2026 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : gnutls28 Version : 3.7.1-5+deb11u10 CVE ID : CVE-2026-3833 CVE-2026-5260 CVE-2026-33845 CVE-2026-33846 CVE-2026-42009 CVE-2026-42010 CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015 Debian Bug : 1135319

 Multiple vulnerabilities were found in GnuTLS, a portable library which implements the Transport Layer Security and Datagram Transport Layer Security protocols, which may lead to constraint bypass, denial of service, information disclosure, authentication bypass or potentially execution of arbitrary code.

 CVE-2026-3833

 Oleh Konko and Joshua Rogers independently discovered that domain name comparison during name constraints processing was case-sensitive, thereby violating RFC 5280 7.2. For excluded name constraints, this could lead to incorrectly accepting domain names that should've been rejected.

 CVE-2026-5260

 Joshua Rogers discovered that for a server using an RSA key backed by a PKCS#11 token, a client sending an extremely short premaster secret during an RSA key exchange could trigger a short heap overread.

 CVE-2026-33845

 Joshua Rogers a remotely triggerable underflow in the DTLS reassembly code leading to a heap overrun.

 CVE-2026-33846

 Haruto Kimura, Oscar Reparaz and Zou Dikai independently discovered that GnuTLS failed to properly check that DTLS fragments claimed a consistent message_length value, and that a missing bound check on the array was missing, enabling an attacker to cause a heap overwrite.

 CVE-2026-42009

 Joshua Rogers discovered that the comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to undefined behaviour.

 CVE-2026-42010

 Joshua Rogers discovered that servers configured with RSA-PSK wrongfully matched usernames with NUL character in them to ones truncated to NUL character, which could lead to an authentication bypass.

 CVE-2026-42011

 Haruto Kimura discovered that permitted name constraints were wrongfully ignored when prior CAs only had excluded name constraints, resulting in a name constraint bypass.

 CVE-2026-42012

 Oleh Konko discovered that certificates containing URI or SRV Subject Alternative Names would fall back to checking DNS hostnames against Common Name, allowing potential misuse of such certificates beyond their original purpose.

 CVE-2026-42013

 Haruto Kimura and Joshua Rogers independently discovered that validation of certificates with oversized Subject Alternative Names would fall back to checking DNS hostnames against Common Name.

 CVE-2026-42014

 Luigino Camastra and Joshua Rogers discovered that changing the Security Officer PIN with `gnutls_pkcs11_token_set_pin()` with `oldpin == NULL` for a token lacking a protected authentication path led to a use-after-free.

 CVE-2026-42015

 Zou Dikai discovered that appending to a PKCS#12 bag that already contained 32 elements could write past the bag's internal array.

 This update also fixes additional security issues for which no CVE ID was assigned yet:

 Joshua Rogers discovered that rehandshaking to a username with embedded NUL character could theoretically allow bypassing the `GNUTLS_ALLOW_ID_CHANGE` protection.

 Joshua Rogers discovered that the OCSP signing EKU OID was compared without verifying its length, allowing a shorter OID that shares the same prefix to match.

 Haruto Kimura discovered a possible invalid pointer dereference in the PKCS#11 trust removal error path.

 Kamil Frankowicz discovered that `gnutls_privkey_verify_params()` overlooked the scenario of `p` and `q` not being co-prime. It now returns `GNUTLS_E_PK_INVALID_PRIVKEY` in this case.

 Joshua Rogers discovered that if `gnutls_x509_crt_list_import_pkcs11()` failed partway through, then the trust list cleanup code would try to free already-deinitialized certificate entries, leading to a double-free.

 Kamil Frankowicz and Joshua Rogers idependently discovered that insufficient bounds checking on the PEM header length could lead to short heap overreads on specially crafted inputs.

 For Debian 11 bullseye, these problems have been fixed in version 3.7.1-5+deb11u10.

 We recommend that you upgrade your gnutls28 packages.

 For the detailed security status of gnutls28 please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/gnutls28

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the gnutls-bin packages.

See Also

https://security-tracker.debian.org/tracker/source-package/gnutls28

https://security-tracker.debian.org/tracker/CVE-2026-33845

https://security-tracker.debian.org/tracker/CVE-2026-33846

https://security-tracker.debian.org/tracker/CVE-2026-3833

https://security-tracker.debian.org/tracker/CVE-2026-42009

https://security-tracker.debian.org/tracker/CVE-2026-42010

https://security-tracker.debian.org/tracker/CVE-2026-42011

https://security-tracker.debian.org/tracker/CVE-2026-42012

https://security-tracker.debian.org/tracker/CVE-2026-42013

https://security-tracker.debian.org/tracker/CVE-2026-42014

https://security-tracker.debian.org/tracker/CVE-2026-42015

https://security-tracker.debian.org/tracker/CVE-2026-5260

https://packages.debian.org/source/bullseye/gnutls28

Plugin Details

Severity: Critical

ID: 316551

File Name: debian_DLA-4595.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 5/25/2026

Updated: 5/25/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-42010

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libgnutlsxx28, p-cpe:/a:debian:debian_linux:libgnutls30, p-cpe:/a:debian:debian_linux:gnutls-doc, p-cpe:/a:debian:debian_linux:libgnutls28-dev, p-cpe:/a:debian:debian_linux:libgnutls-openssl27, p-cpe:/a:debian:debian_linux:guile-gnutls, p-cpe:/a:debian:debian_linux:libgnutls-dane0, p-cpe:/a:debian:debian_linux:gnutls-bin

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/22/2026

Vulnerability Publication Date: 4/30/2026

Reference Information

CVE: CVE-2026-33845, CVE-2026-33846, CVE-2026-3833, CVE-2026-42009, CVE-2026-42010, CVE-2026-42011, CVE-2026-42012, CVE-2026-42013, CVE-2026-42014, CVE-2026-42015, CVE-2026-5260