microsoft · azurelinux-security · May 8, 2026
@@ -0,0 +1,62 @@
+From 5b9fac36697a1e97abbd3495dad4bbb81c047749 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Fri, 8 May 2026 22:02:21 +0000
+Subject: [PATCH] buffers: add more checks to DTLS reassembly
+
+Previously, gnutls didn't check that DTLS fragments claimed
+a consistent message_length value.
+Additionally, a crucial array size check was missing,
+enabling an attacker to cause a heap overwrite.
+The updated version rejects fragments with mismatching length
+and adds a missing boundary check.
+
+Reported-by: Haruto Kimura (Stella)
+Reported-by: Oscar Reparaz
+Reported-by: Zou Dikai
+Fixes: #1816
+Fixes: #1838
+Fixes: #1839
+Fixes: CVE-2026-33846
+Fixes: GNUTLS-SA-2026-04-29-1
+CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
+CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78.patch
+---
+ lib/buffers.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 672380b..a607bea 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -1009,6 +1009,26 @@ static int merge_handshake_packet(gnutls_session_t session,
+ 			&session->internals.handshake_recv_buffer[pos], hsk);
+
+ 	} else {
++			if (hsk->length != session->internals.handshake_recv_buffer[pos].length) {
++				/* inconsistent across fragments */
++				_gnutls_handshake_buffer_clear(hsk);
++				return gnutls_assert_val(
++					GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++			}
++			/* start_offset + data.length <= hsk->length <= max_length */
++			if (hsk->length < hsk->start_offset + hsk->data.length) {
++				/* impossible claims, overflow requested */
++				_gnutls_handshake_buffer_clear(hsk);
++				return gnutls_assert_val(
++					GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++			}
++			if (hsk->length > session->internals.handshake_recv_buffer[pos].data.max_length) {
++				/* we don't have this much allocated, overflow guard */
++				_gnutls_handshake_buffer_clear(hsk);
++				return gnutls_assert_val(
++					GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++			}
++
+ 		if (hsk->start_offset <
+ 			    session->internals.handshake_recv_buffer[pos]
+ 				    .start_offset &&
+-- 
+2.45.4
+
@@ -0,0 +1,48 @@
+From c7bca215684c7739b84df6bb4711d3ef5b845426 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Thu, 12 Mar 2026 09:48:57 +0100
+Subject: [PATCH] cert-session: fix multi-entry OCSP revocation bypass
+
+In check_ocsp_response(), the code first searched
+for the SingleResponse that matches the certificate being validated.
+But later, the status was retrieved from entry 0 unconditionally,
+rather than from the matched resp_indx.
+As a result, if entry 0 corresponded to a different certificate and was good,
+while the matched entry for the peer certificate is revoked,
+the revocation check could've mistakenly accept the certificate.
+
+Reported-by: Oleh Konko (1seal) <security@1seal.org>
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1801
+Fixes: #1812
+Fixes: CVE-2026-3832
+Fixes: GNUTLS-SA-2026-04-29-12
+CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
+Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2.patch
+---
+ lib/cert-session.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/cert-session.c b/lib/cert-session.c
+index 5a4b997..dfed3b2 100644
+--- a/lib/cert-session.c
++++ b/lib/cert-session.c
+@@ -339,9 +339,9 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
+ 		goto cleanup;
+ 	}
+
+-	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
+-					  &cert_status, &vtime, &ntime, &rtime,
+-					  NULL);
++	ret = gnutls_ocsp_resp_get_single(resp, resp_indx, NULL, NULL, NULL,
++					  NULL, &cert_status, &vtime, &ntime,
++					  &rtime, NULL);
+ 	if (ret < 0) {
+ 		_gnutls_audit_log(
+ 			session,
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        The GnuTLS Transport Layer Security Library
 Name:           gnutls
 Version:        3.8.3
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        GPLv3+ AND LGPLv2.1+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -20,6 +20,8 @@ Patch7:         CVE-2025-32988.patch
 Patch8:         CVE-2025-6395.patch
 Patch9:         CVE-2025-13151.patch
 Patch10:        CVE-2025-9820.patch
+Patch11:        CVE-2026-33846.patch
+Patch12:        CVE-2026-3832.patch
 BuildRequires:  autogen-libopts-devel
 BuildRequires:  gc-devel
 BuildRequires:  libtasn1-devel
@@ -101,6 +103,9 @@ sed -i 's/TESTS += test-ciphers-openssl.sh//'  tests/slow/Makefile.am
 %{_mandir}/man3/*
 
 %changelog
+* Fri May 08 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.8.3-9
+- Patch for CVE-2026-3832, CVE-2026-33846
+
 * Wed Jan 28 2026 Akhila Guruju <v-guakhila@microsoft.com> - 3.8.3-8
 - Patch CVE-2025-9820