Lucene search
K

EulerOS 2.0 SP12 : gnutls (EulerOS-SA-2026-2590)

🗓️ 10 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

GnuTLS on EulerOS 2.0 SP12 has DTLS heap overflow, zero-length fragment read, and nameConstraints bypass.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(326133);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/10");

  script_cve_id(
    "CVE-2026-3833",
    "CVE-2026-5260",
    "CVE-2026-33845",
    "CVE-2026-33846",
    "CVE-2026-42009",
    "CVE-2026-42010",
    "CVE-2026-42013",
    "CVE-2026-42014"
  );
  script_xref(name:"IAVA", value:"2026-A-0405");

  script_name(english:"EulerOS 2.0 SP12 : gnutls (EulerOS-SA-2026-2590)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the gnutls packages installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :

    A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The
    issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based
    solely on handshake type, without validating that the message_length field remains consistent across all
    fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with
    conflicting message_length values, causing the implementation to allocate a buffer based on a smaller
    initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because
    the merge operation does not enforce proper bounds checking against the allocated buffer size, this
    results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without
    authentication via the DTLS handshake path and can lead to application crashes or potential memory
    corruption.(CVE-2026-33846)

    A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset,
    leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is
    remotely exploitable and may cause information disclosure or denial of service.(CVE-2026-33845)

    A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons
    of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within
    `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf
    certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass
    where a certificate that should be rejected is instead accepted. This could result in unauthorized access
    or information disclosure.(CVE-2026-3833)

    A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer
    Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by
    sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to
    unstable packet ordering or undefined behavior, resulting in a denial of service.(CVE-2026-42009)

    A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest-Shamir-Adleman - Pre-Shared Key)
    wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could
    exploit this by sending a specially crafted username, leading to an authentication bypass. This
    vulnerability allows an attacker to gain unauthorized access by circumventing the authentication
    process.(CVE-2026-42010)

    This ID has been reserved by a CNA(CVE-2026-42014)

    A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN)
    could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This
    could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or
    man-in-the-middle attacks.(CVE-2026-42013)

    A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an
    RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap
    overread. This memory corruption vulnerability could lead to information disclosure.(CVE-2026-5260)

Tenable has extracted the preceding description block directly from the EulerOS gnutls security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-2590
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?05ec7877");
  script_set_attribute(attribute:"solution", value:
"Update the affected gnutls packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42010");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:gnutls");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:gnutls-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:gnutls-help");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:gnutls-utils");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(12)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "gnutls-3.7.2-6.h21.eulerosv2r12",
  "gnutls-devel-3.7.2-6.h21.eulerosv2r12",
  "gnutls-help-3.7.2-6.h21.eulerosv2r12",
  "gnutls-utils-3.7.2-6.h21.eulerosv2r12"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"12", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnutls");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Jul 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.18.2 - 9.8
EPSS0.01335
SSVC
2