CVE-2025-32988
Published: 10 July 2025
Summary
CVE-2025-32988 is a medium-severity Double Free (CWE-415) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-32988 is a double-free vulnerability in the GnuTLS library, caused by incorrect ownership handling in the export logic for Subject Alternative Name (SAN) entries containing an otherName. When the type-id OID is invalid or malformed, GnuTLS calls asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This flaw, classified under CWE-415, affects GnuTLS and was published on 2025-07-10 with a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H).
The vulnerability can be triggered remotely by unauthenticated attackers using only public GnuTLS APIs, though it requires high attack complexity. Successful exploitation may result in denial of service or memory corruption, depending on the behavior of the underlying memory allocator.
Red Hat has released multiple errata addressing this vulnerability, including RHSA-2025:16115, RHSA-2025:16116, RHSA-2025:17181, RHSA-2025:17348, and RHSA-2025:17361, which provide updated packages or patches for affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20928
Vulnerability details
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will…
more
call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated trigger of memory corruption in GnuTLS (used by network services) directly enables exploitation of public-facing applications for DoS/memory impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches (e.g., RHSA-2025:16115 et al.) that correct the ASN.1 ownership error and eliminate the double-free in GnuTLS SAN export logic.
Enforces memory-protection mechanisms that can detect or block double-free corruption before it produces DoS or memory-safety violations in the GnuTLS library.
Requires continuous vulnerability scanning to identify systems still running the unpatched GnuTLS version vulnerable to the otherName type-id double-free.