Heap Buffer Overflow Vulnerability in GnuTLS DTLS Handshake Process
CVE-2026-33846
What is CVE-2026-33846?
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. This issue originates from the merge_handshake_packet() function, where the handling of incoming handshake fragments is compromised. The logic relies solely on the handshake type for matching and merging fragments, neglecting to validate the consistency of the message_length field across all fragments that belong to a single logical message. As a result, an attacker can exploit this flaw by sending specially crafted DTLS fragments with conflicting message_length values. This can lead to a scenario where the implementation allocates a buffer based on a smaller initial fragment but subsequently writes beyond this buffer's bounds using larger, inconsistent fragments. The lack of proper bounds checking during the merge operation can cause out-of-bounds writes on the heap, which may lead to application crashes or memory corruption. This vulnerability can be exploited remotely and does not require authentication, creating a significant risk for affected implementations.