CVE-2025-32989Improper Certificate Validation in Redhat Enterprise Linux

CWE-295Improper Certificate Validation9 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 65.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Enterprise LinuxRedhat Openshift Container Platform
Timeline
PublishedJul 10
Latest updateJul 14

Description

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checke

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages0 packages

Also affects: Enterprise Linux 10.0, 6.0, 7.0, 8.0, 9.0, Openshift Container Platform 4.0

🔴Vulnerability Details

4
OSV
gnutls28 vulnerabilities2025-07-14
GHSA
GHSA-f7q5-qg45-7vm8: A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extens2025-07-10
OSV
CVE-2025-32989: A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extens2025-07-10
CVEList
Gnutls: vulnerability in gnutls sct extension parsing2025-07-10

📋Vendor Advisories

4
Ubuntu
GnuTLS vulnerabilities2025-07-14
Red Hat
gnutls: Vulnerability in GnuTLS SCT extension parsing2025-07-10
Microsoft
Gnutls: vulnerability in gnutls sct extension parsing2025-07-08
Debian
CVE-2025-32989: gnutls28 - A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the C...2025
CVE-2025-32989 — Improper Certificate Validation | cvebase