PatchSiren cyber security CVE debrief
CVE-2026-33846 Red Hat CVE debrief
A heap buffer overflow vulnerability exists in GnuTLS's DTLS handshake fragment reassembly logic. The flaw resides in `merge_handshake_packet()`, which matches and merges incoming DTLS handshake fragments based solely on handshake type without validating that the `message_length` field remains consistent across all fragments of the same logical message. An attacker can send crafted DTLS fragments with conflicting `message_length` values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. The merge operation lacks proper bounds checking against the allocated buffer size, resulting in an out-of-bounds heap write. This vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 8
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-04
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-04
- Advisory updated
- 2026-05-27
Who should care
Organizations running GnuTLS-based services with DTLS enabled, particularly those exposed to untrusted or internet-facing networks. This includes VoIP infrastructure, VPN endpoints, IoT device management platforms, and any application using DTLS for datagram transport security. System administrators, security engineers, and DevOps teams responsible for TLS/SSL library maintenance should prioritize patching.
Technical summary
The vulnerability stems from insufficient validation in GnuTLS's DTLS handshake fragment reassembly. When processing fragmented DTLS handshake messages, the `merge_handshake_packet()` function uses the handshake type to correlate fragments but fails to verify that all fragments of a given message report identical `message_length` values. This allows an attacker to supply an initial fragment with a small `message_length`, triggering allocation of a correspondingly small buffer, then supply subsequent fragments with larger `message_length` values that cause writes beyond the allocated buffer boundary. The CVSS 3.1 score of 7.5 (HIGH) reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact. The vulnerability is particularly concerning for services exposing DTLS to untrusted networks, as it requires no authentication to exploit.
Defensive priority
HIGH
Recommended defensive actions
- Apply security updates from Red Hat as referenced in RHSA-2026:13274 and RHSA-2026:20611
- Monitor GnuTLS upstream for patches addressing merge_handshake_packet() bounds checking
- Review DTLS-enabled services for exposure to untrusted network sources
- Implement network segmentation to restrict DTLS traffic to trusted endpoints
- Enable crash detection and memory corruption monitoring for DTLS server processes
- Assess application dependencies on GnuTLS for DTLS functionality and prioritize patching accordingly
Evidence notes
CVE published 2026-05-04; modified 2026-05-27. Red Hat has issued security advisories RHSA-2026:13274 and RHSA-2026:20611 addressing this issue. The vulnerability is classified under CWE-130 (Improper Handling of Length Parameter Inconsistency). CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Official resources
2026-05-04