USN-8539-1: GnuTLS vulnerabilities

Publication date

14 July 2026

Overview

Several security issues were fixed in GnuTLS.


Packages

Details

Haruto Kimura discovered that GnuTLS did not properly apply permitted
name constraints in certain certificate validation paths. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42011)

Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name
checks for certain URI and SRV subject alternative names. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42012)

Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell
back to Common Name checks when subject alternative names were
oversized. A remote attacker could possibly use this issue to bypass
certificate validation, leading to a machine-in-the-middle attack.
(

Haruto Kimura discovered that GnuTLS did not properly apply permitted
name constraints in certain certificate validation paths. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42011)

Oleh Konko discovered that GnuTLS incorrectly fell back to Common Name
checks for certain URI and SRV subject alternative names. A remote
attacker could possibly use this issue to bypass certificate validation,
leading to a machine-in-the-middle attack. (CVE-2026-42012)

Haruto Kimura and Joshua Rogers discovered that GnuTLS incorrectly fell
back to Common Name checks when subject alternative names were
oversized. A remote attacker could possibly use this issue to bypass
certificate validation, leading to a machine-in-the-middle attack.
(CVE-2026-42013)

Luigino Camastra and Joshua Rogers discovered that GnuTLS had a
use-after-free issue when changing PKCS#11 token security officer PINs
in certain cases. An attacker could possibly use this issue to cause
GnuTLS to crash, resulting in a denial of service, or execute arbitrary
code. (CVE-2026-42014)

Zou Dikai discovered that GnuTLS did not properly validate PKCS#12 bag
sizes in certain cases. An attacker could possibly use this issue to
cause GnuTLS to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-42015)


Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
20.04 LTS focal libgnutls30 –  3.6.13-2ubuntu1.12+esm3  
18.04 LTS bionic libgnutls30 –  3.5.18-1ubuntu1.6+esm4  
16.04 LTS xenial libgnutls30 –  3.4.10-4ubuntu1.9+esm4  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›