Cyber Resilience

CVE-2025-32988

MediumUpdated

Published: 10 July 2025

Published
10 July 2025
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0023 45.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32988 is a medium-severity Double Free (CWE-415) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-32988 is a double-free vulnerability in the GnuTLS library, caused by incorrect ownership handling in the export logic for Subject Alternative Name (SAN) entries containing an otherName. When the type-id OID is invalid or malformed, GnuTLS calls asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This flaw, classified under CWE-415, affects GnuTLS and was published on 2025-07-10 with a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H).

The vulnerability can be triggered remotely by unauthenticated attackers using only public GnuTLS APIs, though it requires high attack complexity. Successful exploitation may result in denial of service or memory corruption, depending on the behavior of the underlying memory allocator.

Red Hat has released multiple errata addressing this vulnerability, including RHSA-2025:16115, RHSA-2025:16116, RHSA-2025:17181, RHSA-2025:17348, and RHSA-2025:17361, which provide updated packages or patches for affected systems.

EU & UK References

Vulnerability details

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will…

more

call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated trigger of memory corruption in GnuTLS (used by network services) directly enables exploitation of public-facing applications for DoS/memory impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33845Same product: Gnu Gnutls
CVE-2026-42010Same product: Gnu Gnutls
CVE-2025-32990Same product: Gnu Gnutls
CVE-2026-3442Same product: Redhat Enterprise Linux
CVE-2025-0678Same product: Redhat Enterprise Linux
CVE-2026-4480Same product: Redhat Enterprise Linux
CVE-2024-45782Same product: Redhat Enterprise Linux
CVE-2026-3441Same product: Redhat Enterprise Linux
CVE-2026-6846Same product: Redhat Enterprise Linux
CVE-2026-5121Same product: Redhat Enterprise Linux

Affected Assets

gnu
gnutls
≤ 3.8.10
redhat
openshift container platform
4.0
redhat
enterprise linux
10.0, 6.0, 7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches (e.g., RHSA-2025:16115 et al.) that correct the ASN.1 ownership error and eliminate the double-free in GnuTLS SAN export logic.

prevent

Enforces memory-protection mechanisms that can detect or block double-free corruption before it produces DoS or memory-safety violations in the GnuTLS library.

detect

Requires continuous vulnerability scanning to identify systems still running the unpatched GnuTLS version vulnerable to the otherName type-id double-free.

References