CVE-2025-32988: 
GnuTLS vulnerability analysis and mitigation

A double-free vulnerability (CVE-2025-32988) was discovered in GnuTLS, affecting version 3.8.9. The vulnerability exists due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. The issue was disclosed on July 10, 2025, and affects various systems using the GnuTLS library (NVD, Red Hat).

The vulnerability occurs when the type-id OID is invalid or malformed, causing GnuTLS to call asn1deletestructure() on an ASN.1 node it does not own. This leads to a double-free condition when the parent function or caller later attempts to free the same structure. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H and is classified as CWE-415 (Double Free) (NVD, Snyk).

The vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. A remote attacker could potentially cause the application to crash or, in some cases, execute arbitrary code (Ubuntu).

Updates have been released for various affected systems. Ubuntu users should update to the following versions: Ubuntu 25.04 (libgnutls30t64 – 3.8.9-2ubuntu3.1), Ubuntu 24.04 (libgnutls30t64 – 3.8.3-1.1ubuntu3.4), and Ubuntu 22.04 (libgnutls30 – 3.7.3-4ubuntu1.7). Debian 12 users should upgrade to gnutls28 version 3.7.9-2+deb12u5 or higher (Ubuntu, Snyk).