CVE-2025-32988

CVSS 6.5 - MEDIUM
Description

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Affected Products
7
Vendor Product Version
gnu gnutls All versions
redhat openshift_container_platform 4.0
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
References
https://access.redhat.com/errata/RHSA-2025:16115
https://access.redhat.com/errata/RHSA-2025:16116
https://access.redhat.com/errata/RHSA-2025:17181
https://access.redhat.com/errata/RHSA-2025:17348
https://access.redhat.com/errata/RHSA-2025:17361
https://access.redhat.com/errata/RHSA-2025:17415
https://access.redhat.com/errata/RHSA-2025:19088
https://access.redhat.com/errata/RHSA-2025:22529
https://access.redhat.com/errata/RHSA-2026:7477
https://access.redhat.com/security/cve/CVE-2025-32...
https://bugzilla.redhat.com/show_bug.cgi?id=235962...
https://lists.gnupg.org/pipermail/gnutls-help/2025...
http://www.openwall.com/lists/oss-security/2025/07...
https://lists.debian.org/debian-lts-announce/2025/...
https://cert-portal.siemens.com/productcert/html/s...
Weakness Types
CWE-415
CVE Information
CVE ID:
CVE-2025-32988
Published:
2025-07-10
Modified:
2026-05-12
CVSS Score:
6.5
Severity:
MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected Vendors
redhat gnu
Quick Actions
View on NVD Find Similar CVEs
CVSS Severity Scale
0.0 - 3.9 LOW
4.0 - 6.9 MEDIUM
7.0 - 8.9 HIGH
9.0 - 10.0 CRITICAL