CVE-2026-33845
Published: 30 April 2026
Summary
CVE-2026-33845 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of flaws such as the integer underflow in GnuTLS DTLS handshake parsing to prevent exploitation.
Mandates validation of information inputs like malformed DTLS fragments with zero length and non-zero offset to block processing that triggers the underflow and out-of-bounds read.
Provides protections against denial-of-service events caused by remotely exploitable crafted DTLS packets leading to crashes from out-of-bounds reads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of a DTLS parsing flaw in GnuTLS (out-of-bounds read via malformed handshake fragments), directly facilitating initial access by exploiting public-facing applications or services that use the library for DTLS traffic.
NVD Description
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or…
more
denial of service.
Deeper analysisAI
CVE-2026-33845 is a vulnerability in the GnuTLS library's DTLS handshake parsing mechanism. The flaw enables the processing of malformed fragments that have zero length but a non-zero offset, triggering an integer underflow (CWE-191) during reassembly and resulting in an out-of-bounds read. This issue affects GnuTLS implementations that handle DTLS traffic.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network-based exploitation with low complexity, no privileges or user interaction required. Unauthenticated remote attackers can send crafted DTLS handshake packets to vulnerable GnuTLS instances, potentially causing information disclosure or denial of service through the out-of-bounds read.
Red Hat has documented the issue in security advisories and provides related details in their CVE page at https://access.redhat.com/security/cve/CVE-2026-33845 and Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2450624, where mitigation guidance such as patches or workarounds may be available.
Details
- CWE(s)