CVE-2025-6395: 
GnuTLS vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in the GnuTLS software, specifically in the gnutlsfigurecommonciphersuite() function. The vulnerability was disclosed on July 10, 2025, and was assigned identifier CVE-2025-6395. The flaw affects multiple versions of GnuTLS across various Linux distributions including Ubuntu, Debian, and Red Hat systems (NVD Database, Ubuntu Security).

The vulnerability is classified as CWE-476 (NULL Pointer Dereference) and has received a CVSS v3.1 base score of 6.5 (Medium severity). The vulnerability's attack vector is Network-based (N), with High attack complexity (H), requiring No privileges (N) and No user interaction (UI). The scope is Unchanged (U), with No impact on confidentiality (N), Low impact on integrity (L), and High impact on availability (H) (NVD Database).

When exploited, this vulnerability can allow an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial of service (DoS) that could crash the system (NVD Database).

The vulnerability has been fixed in various distributions with security updates. Ubuntu has released version 3.8.9-2ubuntu3.1 for 25.04 and version 3.8.3-1.1ubuntu3.4 for 24.04 LTS. Debian has fixed the issue in version 3.8.9-3 for sid and trixie releases. The upstream fix is available in GnuTLS version 3.8.10 (Ubuntu Security, Debian Tracker).