CVE-2025-14831

Published Feb 9, 2026

Last updated 8 days ago

CVSS medium 5.3

Ubuntu

Overview

Description: A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).
Source: secalert@redhat.com
NVD status: Deferred

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: MEDIUM

Weaknesses

secalert@redhat.com: CWE-407

Hype score: Not currently trending

BREAKING: SUSE Linux Micro 6.2 releases gnutls update patching CVE-2025-14831 DoS and CVE-2025-9820 buffer overflow, admins urged to apply via YaST or zypper immediately. https://t.co/lcMx8nOZi7
@threatcluster
8 Apr 2026
170 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#Mageia 2026-0045 addresses a high-severity GnuTLS flaw (CVE-2025-14831). This isn't just a patch; it's a compliance and operational necessity. Read more: 👉 https://t.co/BgZ0aVmCFY #Security https://t.co/ICq0mxgtJ2
@Cezar_H_Linux
21 Feb 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Heads up, #Debian community! 🐧 A significant DoS vulnerability (CVE-2025-14831) in the #GnuTLS library has been patched. Read more: 👉 https://t.co/99oEmHPzRW #Security https://t.co/s0NgAZrKGy
@Cezar_H_Linux
18 Feb 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GNUTLS-SA-2026-02-09-1、CVE-2026-1584 Severity High; invalid pointer access GNUTLS-SA-2026-02-09-2、CVE-2025-14831 Severity Medium; denial of service The GnuTLS Transport Layer Security Library https://t.co/KkxVAntDe6
@autumn_good_35
10 Feb 2026
128 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GnuTLS 3.8.12 fixes 2 CVEs https://t.co/9rzV3GhTDn CVE-2026-1584: NULL pointer dereference in PSK binder verification (TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to DoS) CVE-2025-14831: Name constraint processing performance issue
@oss_security
10 Feb 2026
663 Impressions
2 Retweets
5 Likes
1 Bookmark
1 Reply
0 Quotes
CVE-2025-14831 Denial of Service Vulnerability in GnuTLS via Malicious C... https://t.co/Uqf1i9lcLH Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd
@VulmonFeeds
9 Feb 2026
48 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-14831 A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafte… https://t.co/TayL7snrFO
@CVEnew
9 Feb 2026
260 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.•CVE-2026-41651
A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.•CVE-2026-1584
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.•CVE-2026-35535
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.•CVE-2026-23410
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction.•CVE-2026-23411

References

Sources include official advisories and independent security research.

https://nvd.nist.gov/vuln/detail/CVE-2025-14831
https://access.redhat.com/errata/RHSA-2026:3477
https://access.redhat.com/errata/RHSA-2026:4188
https://access.redhat.com/errata/RHSA-2026:4655
https://access.redhat.com/errata/RHSA-2026:4943
https://access.redhat.com/errata/RHSA-2026:5585
https://access.redhat.com/errata/RHSA-2026:5606
https://access.redhat.com/errata/RHSA-2026:6618
https://access.redhat.com/errata/RHSA-2026:6630
https://access.redhat.com/errata/RHSA-2026:6737
https://access.redhat.com/errata/RHSA-2026:6738
https://access.redhat.com/errata/RHSA-2026:7329
https://access.redhat.com/errata/RHSA-2026:7335
https://access.redhat.com/errata/RHSA-2026:7477
https://access.redhat.com/errata/RHSA-2026:8746
https://access.redhat.com/errata/RHSA-2026:8747
https://access.redhat.com/errata/RHSA-2026:8748
https://access.redhat.com/security/cve/CVE-2025-14831
https://bugzilla.redhat.com/show_bug.cgi?id=2423177
https://gitlab.com/gnutls/gnutls/-/issues/1773

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Related CVEs

References