Cyber Resilience

CVE-2026-33846

HighUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 25.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33846 is a high-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A heap buffer overflow vulnerability, tracked as CVE-2026-33846, exists in the DTLS handshake fragment reassembly logic of GnuTLS. The flaw occurs in the merge_handshake_packet() function, where incoming handshake fragments are matched and merged based solely on handshake type without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments due to inadequate bounds checking against the allocated buffer size.

This vulnerability is remotely exploitable without authentication via the DTLS handshake path by any network attacker. Exploitation involves sending specially crafted DTLS fragments, leading to out-of-bounds writes on the heap that can result in application crashes or potential memory corruption. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-130 (Improper Handling of Length Parameter Inconsistency).

Red Hat has issued errata RHSA-2026:13274 to address the issue. Further details on the vulnerability and remediation are available via the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-33846 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2450625.

EU & UK References

Vulnerability details

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains…

more

consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated DTLS fragment exploit in GnuTLS enables T1190 (public-facing app exploitation) and T1499.004 (application exploitation for DoS via crash/memory corruption).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-14847Shared CWE-130
CVE-2026-41035Shared CWE-130
CVE-2026-3868Shared CWE-130
CVE-2026-5367Shared CWE-130
CVE-2026-31635Shared CWE-130
CVE-2026-41898Shared CWE-130
CVE-2026-35547Shared CWE-130
CVE-2026-22255Shared CWE-130
CVE-2026-22047Shared CWE-130
CVE-2026-22861Shared CWE-130

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying vendor-issued patches, such as Red Hat errata RHSA-2026:13274, directly remediates the heap buffer overflow in GnuTLS DTLS fragment reassembly logic.

prevent

Memory protection mechanisms like non-executable memory, address space layout randomization, and hardened allocators prevent exploitation of the out-of-bounds heap write caused by inconsistent DTLS fragment lengths.

prevent

Validating consistency of message_length fields across DTLS handshake fragments at input points prevents buffer allocation and merging based on conflicting values.

References