CVE-2025-32989
MediumCVSS 5.3Exploitation Probability (EPSS)
Elevated risk64th percentile - higher than 64% of all known CVEs
Summary
A heap-buffer-overread vulnerability was found in GnuTLS when handling the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows an attacker to create a certificate with a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that may contain sensitive data. As a result, confidential information may be exposed when GnuTLS verifies certificates from certain websites if the SCT is not checked correctly.
Risk Assessment
The organization is at risk of leaking confidential data when GnuTLS verifies certificates from specific websites and the SCT extension is not properly validated. This could lead to unauthorized disclosure of sensitive information.
Recommendation
Immediately update the GnuTLS library to a version that fixes this vulnerability. Until the update is applied, consider limiting trust in certificates with malformed SCT extensions.
Original NVD description (English source)
A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

