CVE-2026-42015 Red Hat CVE debrief

Who should care

Organizations running GnuTLS in server roles handling PKCS#12 data, certificate management systems, VPN concentrators, and TLS termination proxies. Development teams using GnuTLS libraries for certificate import/export functionality.

Technical summary

The vulnerability exists in GnuTLS's PKCS#12 implementation where an off-by-one bounds check error permits writing beyond the allocated internal array when a bag contains exactly 32 elements. This is a classic off-by-one (CWE-193) condition in array boundary validation. The attack vector is network-accessible with low attack complexity, requiring no privileges or user interaction. While the CVSS confidentiality and integrity impacts are rated as none, availability impact is rated as low. The memory corruption primitive could potentially be leveraged for more severe outcomes depending on heap layout and application context, though the description indicates unspecified impacts beyond DoS. Organizations using GnuTLS for PKCS#12 certificate bundle operations, particularly in server applications processing client-provided data, should prioritize patching.

Defensive priority

medium

Recommended defensive actions

• Review GnuTLS deployments for PKCS#12 handling in applications processing untrusted certificate stores
• Apply security updates from distribution maintainers when available
• Monitor Red Hat Bugzilla 2467678 for patch availability and technical details
• Consider input validation controls for PKCS#12 data from external sources
• Assess application exposure to remote PKCS#12 processing

Evidence notes

The vulnerability description and CVSS scoring are sourced from the NVD entry and associated Red Hat security references. The CWE-193 classification is explicitly noted in the source metadata. The vendor association with Red Hat is derived from reference domain analysis with low confidence, indicating the need for review.

Official resources