CVE-2025-32988
CVE Details
Visit the official vulnerability details page for CVE-2025-32988 to learn more.
Initial Publication
07/12/2025
Last Update
09/17/2025
Third Party Dependency
libgnutls30
NIST CVE Summary
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.
This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
CVE Severity
Our Official Summary
This is a double-free memory vulnerability in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. When processing certificates with invalid or malformed type-id OIDs, GnuTLS incorrectly calls asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs.
The vulnerability affects kubevirt and harbor components. If these components are not used, this vulnerability does not apply. However, successful exploitation requires processing specifically crafted X.509 certificates with malformed SAN entries, which is typically controlled through certificate validation processes and trusted certificate authorities in our environments.
The risk of exploitation is considered medium, as it requires an attacker to present malformed certificates that would trigger the vulnerable code path during TLS/SSL certificate processing.
Upstream patches addressing this issue will be adopted as and when they become available.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 09/17/2025 | Status changed from Open to Ongoing |
| 09/17/2025 | Official summary added |
| 08/22/2025 | Advisory severity revised to HIGH from MEDIUM |