CVE-2024-28835: Gnutls: potential crash during chain building/verification
Description
A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.
Classification
CVE ID: CVE-2024-28835
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.0
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Problem Types
Uncaught ExceptionAffected Products
Vendor: , Red Hat
Product: , Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 9.2 Extended Update Support, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.01% (probability of being exploited)
EPSS Percentile: 0.95% (scored less or equal to compared to others)
EPSS Date: 2025-06-19 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-28835https://access.redhat.com/errata/RHSA-2024:1879
https://access.redhat.com/errata/RHSA-2024:2570
https://access.redhat.com/errata/RHSA-2024:2889
https://access.redhat.com/security/cve/CVE-2024-28835
https://bugzilla.redhat.com/show_bug.cgi?id=2269084
https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html