GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 Published on February 9, 2026

Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-14831 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

LOW

Timeline

2025-12-17

Reported to Red Hat.

2026-02-09

Made public. 54 days later.

Weakness Type

Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Products Associated with CVE-2025-14831

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-14831 are published in these products:

Red Hat Enterprise Linux (RHEL)

Red Hat Openshift

Canonical Ubuntu Linux

Gnutls

Red Hat Insights Proxy

Red Hat Rhui

Affected Versions

Red Hat Enterprise Linux 10:

Version 0:3.8.10-3.el10_1 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:3.8.3-10.el9_7 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:3.8.3-10.el9_7 and below * is unaffected.

Red Hat Insights proxy 1.5:

Version sha256:325c34e2506d715975171557d40afb449c79cf6e0c41b35760977d5cafb827b8 and below * is unaffected.

Red Hat Update Infrastructure 5:

Version sha256:200c27e9b396276bd505c6b41127ac5eb1d94d620172cb818ae733f2a21ac524 and below * is unaffected.

Red Hat Update Infrastructure 5:

Version sha256:d98fd3fe5f5f9acd0efae7db19b61b864be1eb2fbe2586a1b6be2429fa2cc7a3 and below * is unaffected.

Red Hat Update Infrastructure 5:

Version sha256:2c50c87906a1abebf427a70f401c409f1258cb55d2096f517db870ec991cfd7f and below * is unaffected.

Red Hat Update Infrastructure 5:

Version sha256:5f1fbf66fb349a7baf066a1216d39989c3b89f18ec5108b96d9643baf4856778 and below * is unaffected.

Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat OpenShift Container Platform 4:

Exploit Probability

EPSS

0.06%

Percentile

19.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

GnuTLS DoS via oversized SANs in certificatesCVE-2025-14831 Published on February 9, 2026

Vulnerability Analysis

Timeline

Weakness Type

Inefficient Algorithmic Complexity

Products Associated with CVE-2025-14831

Affected Versions

Exploit Probability

GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 Published on February 9, 2026