CVE-2026-42015 Overview
A flaw was found in GnuTLS, an open source library implementing the TLS, SSL, and DTLS protocols. The vulnerability is an off-by-one error in the bounds check for PKCS#12 bag elements. When a PKCS#12 bag already contains 32 elements, appending an additional element causes a write past the internal array. This memory corruption can result in denial of service or other unspecified impacts. The issue is tracked under [CWE-193] (Off-by-one Error) and affects applications that parse or construct PKCS#12 structures using GnuTLS.
Critical Impact
A remote attacker can trigger memory corruption in GnuTLS-based applications by supplying a crafted PKCS#12 bag, leading to denial of service.
Affected Products
- GnuTLS library (PKCS#12 bag handling component)
- Red Hat Enterprise Linux distributions shipping the affected GnuTLS package
- Downstream applications and services that link against vulnerable GnuTLS versions
Discovery Timeline
- 2026-05-26 - CVE-2026-42015 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42015
Vulnerability Analysis
The vulnerability resides in the PKCS#12 bag element handling code within GnuTLS. PKCS#12 is a binary archive format used to bundle private keys, certificates, and related cryptographic material. GnuTLS represents these bundles internally using a bag structure backed by a fixed-size array of 32 elements.
The bounds check that gates appending new elements contains an off-by-one error. When the bag already holds 32 elements, the check allows one additional write rather than rejecting the operation. That write lands immediately past the end of the internal array, corrupting adjacent memory.
An attacker who can deliver a crafted PKCS#12 structure to a process using GnuTLS can trigger this condition during parsing or assembly. The resulting corruption can crash the process, producing denial of service. Other impacts depend on the surrounding memory layout and are categorized as unspecified.
Root Cause
The root cause is an incorrect boundary comparison in the PKCS#12 bag append path. The check permits index 32 on a zero-indexed array of 32 entries, allowing a one-element overflow into adjacent heap or stack memory.
Attack Vector
The attack vector is network-based with low complexity and requires no authentication or user interaction. An attacker delivers a PKCS#12 blob containing 32 or more bag elements to a target service that parses it through GnuTLS. Confidentiality and integrity are unaffected; the primary observed impact is availability loss through process termination. The vulnerability manifests in PKCS#12 parsing routines; consult the Red Hat Bug Report and Red Hat CVE Report for technical details.
Detection Methods for CVE-2026-42015
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes that load GnuTLS during PKCS#12 import or export operations
- Core dumps referencing GnuTLS PKCS#12 parsing functions on the stack
- Inbound transfers of PKCS#12 (.p12, .pfx) files containing 32 or more bag elements
Detection Strategies
- Inventory all hosts and containers that ship the vulnerable GnuTLS package using package manager queries such as rpm -q gnutls
- Monitor application logs from TLS-enabled services, certificate management tools, and VPN daemons for abnormal termination during certificate import
- Inspect PKCS#12 files received from untrusted sources and reject structures whose bag element count exceeds expected thresholds
Monitoring Recommendations
- Forward crash telemetry and core dump metadata into a centralized analytics platform for correlation with GnuTLS version data
- Alert on repeated process restarts of services that perform PKCS#12 handling, which can indicate exploit attempts
- Track package update status across the fleet to confirm patched GnuTLS versions are deployed
How to Mitigate CVE-2026-42015
Immediate Actions Required
- Apply the GnuTLS update referenced in the Red Hat Security Errata as soon as it is available for your distribution
- Restart all services that link against GnuTLS after patching to ensure the updated library is loaded into memory
- Audit exposed services that accept PKCS#12 input from untrusted sources and restrict access where possible
Patch Information
Red Hat has issued advisory RHSA-2026:20611 addressing CVE-2026-42015. Administrators running Red Hat Enterprise Linux or rebuilds should install the updated gnutls package through their standard patch management process. Consult the Red Hat CVE Report for the full list of affected packages and fixed versions.
Workarounds
- Limit network exposure of services that parse PKCS#12 data from untrusted peers until patches are applied
- Use application-layer filtering or proxies to reject PKCS#12 payloads exceeding expected sizes or element counts
- Enable process supervision and automatic restart for critical TLS services to reduce availability impact from crash-based denial of service
# Verify installed GnuTLS version and apply vendor update
rpm -q gnutls
sudo dnf update gnutls
sudo systemctl restart <tls-dependent-service>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
