CVE-2026-3832

NameCVE-2026-3832
DescriptionA flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1135319

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnutls28 (PTS)bullseye3.7.1-5+deb11u5fixed
bullseye (security)3.7.1-5+deb11u9fixed
bookworm3.7.9-2+deb12u6fixed
bookworm (security)3.7.9-2+deb12u7fixed
trixie3.8.9-3+deb13u3vulnerable
trixie (security)3.8.9-3+deb13u4fixed
forky, sid3.8.13-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnutls28sourcebullseye(not affected)
gnutls28sourcebookworm(not affected)
gnutls28sourcetrixie3.8.9-3+deb13u4
gnutls28source(unstable)3.8.13-11135319

Notes

[bookworm] - gnutls28 <not-affected> (Vulnerable code introduced later)
[bullseye] - gnutls28 <not-affected> (Vulnerable code introduced later)
https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-12
https://gitlab.com/gnutls/gnutls/-/issues/1801
https://gitlab.com/gnutls/gnutls/-/issues/1812
Introduced with: https://gitlab.com/gnutls/gnutls/-/commit/ae404fe8488dee424876b5963c00d7e041672415 (3.8.8)
Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2 (3.8.13)
Test: https://gitlab.com/gnutls/gnutls/-/commit/d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e (3.8.13)
Search for package or bug name: Reporting problems