Cyber Resilience

CVE-2025-32990

Medium

Published: 10 July 2025

Published
10 July 2025
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0029 52.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32990 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 47.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-32990 is a heap-buffer-overflow vulnerability stemming from an off-by-one error in the GnuTLS software library, specifically within the template parsing logic of the certtool utility. This flaw occurs when certtool processes certain settings from a template file, enabling an out-of-bounds NULL pointer write that leads to memory corruption. The issue is classified under CWE-122 (Heap-based Buffer Overflow) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

An unauthenticated attacker can exploit this vulnerability remotely by supplying a maliciously crafted template file to a system running vulnerable versions of certtool. Successful exploitation triggers memory corruption, resulting in a denial-of-service condition that could crash the affected system. While the impact is limited to low integrity and availability disruption with no confidentiality loss, the lack of privileges needed makes it accessible to remote adversaries targeting GnuTLS deployments.

Red Hat has addressed this vulnerability through multiple errata releases, including RHSA-2025:16115, RHSA-2025:16116, RHSA-2025:17181, RHSA-2025:17348, and RHSA-2025:17361, which provide updated packages for affected Red Hat products using GnuTLS. Security practitioners should apply these patches promptly to mitigate the risk of exploitation.

EU & UK References

Vulnerability details

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write,…

more

resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap buffer overflow in certtool enables remote application exploitation resulting in memory corruption and DoS crash.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33845Same product: Gnu Gnutls
CVE-2025-32988Same product: Gnu Gnutls
CVE-2026-6846Same product: Redhat Enterprise Linux
CVE-2026-42010Same product: Gnu Gnutls
CVE-2026-1584Same product: Gnu Gnutls
CVE-2026-3442Same product: Redhat Enterprise Linux
CVE-2026-5201Same product: Redhat Enterprise Linux
CVE-2025-0678Same product: Redhat Enterprise Linux
CVE-2026-3441Same product: Redhat Enterprise Linux
CVE-2024-45782Same product: Redhat Enterprise Linux

Affected Assets

gnu
gnutls
all versions
redhat
openshift container platform
4.0
redhat
enterprise linux
10.0, 6.0, 7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches (e.g., RHSA-2025:16115 et al.) that eliminate the off-by-one heap overflow in certtool template parsing.

prevent

Mandates validation of untrusted input (template files) before processing, which would have rejected the malformed data that triggers the OOB NULL write.

prevent

Requires memory-protection mechanisms that can contain or block the heap corruption resulting from the buffer-overflow flaw.

References