Cyber Resilience

CVE-2026-33845

HighUpdated

Published: 30 April 2026

Published
30 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0080 52.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33845 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33845 is a vulnerability in the GnuTLS library's DTLS handshake parsing mechanism. The flaw enables the processing of malformed fragments that have zero length but a non-zero offset, triggering an integer underflow (CWE-191) during reassembly and resulting in an out-of-bounds read. This issue affects GnuTLS implementations that handle DTLS traffic.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network-based exploitation with low complexity, no privileges or user interaction required. Unauthenticated remote attackers can send crafted DTLS handshake packets to vulnerable GnuTLS instances, potentially causing information disclosure or denial of service through the out-of-bounds read.

Red Hat has documented the issue in security advisories and provides related details in their CVE page at https://access.redhat.com/security/cve/CVE-2026-33845 and Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2450624, where mitigation guidance such as patches or workarounds may be available.

EU & UK References

Vulnerability details

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or…

more

denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote unauthenticated exploitation of a DTLS parsing flaw in GnuTLS (out-of-bounds read via malformed handshake fragments), directly facilitating initial access by exploiting public-facing applications or services that use the library for DTLS traffic.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-32988Same product: Gnu Gnutls
CVE-2026-42010Same product: Gnu Gnutls
CVE-2025-32990Same product: Gnu Gnutls
CVE-2026-4480Same product: Redhat Enterprise Linux
CVE-2026-3441Same product: Redhat Enterprise Linux
CVE-2024-45782Same product: Redhat Enterprise Linux
CVE-2026-3442Same product: Redhat Enterprise Linux
CVE-2025-0678Same product: Redhat Enterprise Linux
CVE-2026-5121Same product: Redhat Enterprise Linux
CVE-2026-6846Same product: Redhat Enterprise Linux

Affected Assets

gnu
gnutls
all versions
redhat
openshift container platform
4.0
redhat
enterprise linux
10.0, 6.0, 7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of flaws such as the integer underflow in GnuTLS DTLS handshake parsing to prevent exploitation.

prevent

Mandates validation of information inputs like malformed DTLS fragments with zero length and non-zero offset to block processing that triggers the underflow and out-of-bounds read.

prevent

Provides protections against denial-of-service events caused by remotely exploitable crafted DTLS packets leading to crashes from out-of-bounds reads.

References