Heap Overread Vulnerability in GnuTLS Affecting Specific RSA Key Implementations
CVE-2026-5260

8.2HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-5260?

A vulnerability has been identified in GnuTLS where a remote attacker may exploit a flaw during an RSA key exchange process. By sending a specially crafted extremely short premaster secret to a server that utilizes an RSA key backed by a PKCS#11 token, it is possible to initiate a short heap overread. This type of memory corruption may allow an attacker to gain unauthorized access to sensitive information, posing a significant risk to affected systems.

References

https://access.redhat.com/security/cve/CVE-2026-5260

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2467450

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Red Hat would like to thank Joshua Rogers (AISLE Research Team) for reporting this issue.

CVE-2026-5260 Data

JSON