Information Disclosure Vulnerability in GnuTLS Affects Multiple Versions
CVE-2026-5419

3.7LOW

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Vendor
CVE Published:
1 June 2026

What is CVE-2026-5419?

A vulnerability exists in GnuTLS related to the PKCS#7 padding check during decryption, which is not processed in constant time. This oversight creates a timing side-channel vulnerability that can be exploited by remote attackers to deduce information regarding the padding bytes. By analyzing the timing differences in responses, attackers could potentially glean sensitive information, leading to exposure of plaintext data and further security risks. It is crucial for users of GnuTLS to review and update their systems to mitigate the risk posed by this vulnerability.

Affected Version(s)

Red Hat Enterprise Linux 10 0:3.8.10-4.el10_2

Red Hat Enterprise Linux 9 0:3.8.10-4.el9_8

Red Hat Enterprise Linux 9 0:3.8.10-4.el9_8

References

https://access.redhat.com/errata/RHSA-2026:20612
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:20613
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-5419
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Doria Tang (Stony Brook University) for reporting this issue.
.