Cyber Posture

CVE-2026-33846

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains…

more

consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation of the specific heap buffer overflow flaw in GnuTLS DTLS fragment reassembly through patching or updates.

SI-16 Memory Protection partial match
prevent

Provides memory protections like ASLR and DEP to mitigate exploitation of heap buffer overflows from inconsistent DTLS fragment processing.

SI-10 Information Input Validation partial match
prevent

Enforces validation of DTLS handshake fragment inputs to ensure message_length consistency and prevent out-of-bounds writes during reassembly.

Security SummaryAI

A heap buffer overflow vulnerability, tracked as CVE-2026-33846, exists in the DTLS handshake fragment reassembly logic of GnuTLS. The flaw occurs in the merge_handshake_packet() function, where incoming handshake fragments are matched and merged based solely on handshake type without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments due to inadequate bounds checking against the allocated buffer size.

This vulnerability is remotely exploitable without authentication via the DTLS handshake path by any network attacker. Exploitation involves sending specially crafted DTLS fragments, leading to out-of-bounds writes on the heap that can result in application crashes or potential memory corruption. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-130 (Improper Handling of Length Parameter Inconsistency).

Red Hat has issued errata RHSA-2026:13274 to address the issue. Further details on the vulnerability and remediation are available via the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-33846 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2450625.

Details

CWE(s)
CWE-130

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated DTLS fragment exploit in GnuTLS enables T1190 (public-facing app exploitation) and T1499.004 (application exploitation for DoS via crash/memory corruption).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References