CVE-2026-33845: Gnutls: gnutls: denial of service via dtls zero-length fragment
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
Security readout for executives and security teams
Plain-English summary
CVE-2026-33845 affects GnuTLS handling of DTLS handshake fragments. A remote attacker could send malformed traffic that may crash affected services using DTLS. The provided CVSS rates availability impact high, with no privileges or user interaction required. No provided source indicates active exploitation or CISA KEV listing.
Executive priority
Treat as a near-term patching item for Linux infrastructure, especially externally reachable DTLS services. It is high severity due to remote, unauthenticated denial-of-service potential, but current provided evidence does not support emergency exploitation response.
Technical view
The flaw is an integer underflow in DTLS handshake reassembly when parsing a zero-length fragment with a non-zero offset, causing an out-of-bounds read. The CVSS vector is 7.5, network, low complexity, no privileges, no user interaction, availability high. The description mentions possible information disclosure, but the CVSS supplied marks confidentiality impact as none.
Likely exposure
Exposure is most likely on systems running affected Red Hat Enterprise Linux gnutls packages where applications use DTLS. The bundle lists affected RHEL 7 ELS, RHEL 8 variants, RHEL 9, and RHEL 10 streams. Some RHEL 8 entries also list libtasn1; confirm scope against Red Hat advisories.
Exploitation context
Remote exploitation is described as possible, but the provided sources do not show public exploitation, weaponized tooling, or KEV inclusion. Practical risk depends on whether DTLS-enabled services using GnuTLS are reachable by untrusted networks.
Researcher notes
Focus validation on DTLS-enabled code paths using GnuTLS. Note source inconsistency: the narrative says possible information disclosure, while the supplied CVSS vector has C:N. Do not assume confidentiality impact without vendor clarification. Use Red Hat CSAF/VEX and RHSA records for stream-specific status.
Mitigation direction
Identify systems with affected Red Hat gnutls packages and DTLS-facing services.
Apply the applicable Red Hat security advisories for each supported RHEL stream.
Prioritize internet-facing or partner-facing DTLS services first.
If updates are unavailable, check Red Hat guidance for supported workarounds.
Restart dependent services after package updates where required by vendor guidance.
Validation and detection
Inventory installed gnutls package versions across RHEL assets.
Map exposed services that use DTLS or GnuTLS libraries.
Check patch status against the relevant Red Hat RHSA advisory.
Review service stability logs for crashes around malformed DTLS traffic.
Confirm no affected package remains after remediation scans.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-191: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-191 · source CWE mapping
Integer Underflow (Wrap or Wraparound)
Integer Underflow (Wrap or Wraparound) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.