GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 Published on February 9, 2026
Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).
Vulnerability Analysis
CVE-2025-14831 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Timeline
Reported to Red Hat.
Made public. 54 days later.
Weakness Type
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Products Associated with CVE-2025-14831
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-14831 are published in these products:
Affected Versions
Red Hat Enterprise Linux 10:- Version 0:3.8.10-3.el10_1 and below * is unaffected.
- Version 0:3.8.9-9.el10_0.17 and below * is unaffected.
- Version 0:3.6.16-8.el8_10.5 and below * is unaffected.
- Version 0:3.6.16-8.el8_10.5 and below * is unaffected.
- Version 0:3.8.3-10.el9_7 and below * is unaffected.
- Version 0:3.8.3-10.el9_7 and below * is unaffected.
- Version 0:3.7.6-21.el9_2.5 and below * is unaffected.
- Version 0:3.8.3-4.el9_4.5 and below * is unaffected.
- Version 0:3.8.3-6.el9_6.3 and below * is unaffected.
- Version sha256:54616c9f3e4d27120504b0b2020432ef3ff85286a50de7be842f05df0cfcd69e and below * is unaffected.
- Version sha256:0ec114881d9dcd28a5dbbb2ec0ea1301ad87d5ae133121ce8167ef29d19802cc and below * is unaffected.
- Version sha256:813ba7ccd1696b44deb90d9e6cd8af114bdb47781eae7f27246a81fba062a892 and below * is unaffected.
- Version sha256:be6d568f28044533e4ad80f0856407c359e2eaf31a6b89cada433e6575d2300e and below * is unaffected.
- Version sha256:1160569002c25d3d349bbe41b57eeffade438853d3419edca01813227440f414 and below * is unaffected.
- Version sha256:040dadd657afdb9f0914f896a4962fd3dbf40b70c8037e4d72b6801b766c9b7d and below * is unaffected.
- Version sha256:062310de4b34e278f8c7e4634def673a77d1228d493541ef1264ba4cb83b68eb and below * is unaffected.
- Version 3.8.12-1.1.hum1 and below * is unaffected.
- Version sha256:325c34e2506d715975171557d40afb449c79cf6e0c41b35760977d5cafb827b8 and below * is unaffected.
- Version sha256:200c27e9b396276bd505c6b41127ac5eb1d94d620172cb818ae733f2a21ac524 and below * is unaffected.
- Version sha256:d98fd3fe5f5f9acd0efae7db19b61b864be1eb2fbe2586a1b6be2429fa2cc7a3 and below * is unaffected.
- Version sha256:2c50c87906a1abebf427a70f401c409f1258cb55d2096f517db870ec991cfd7f and below * is unaffected.
- Version sha256:5f1fbf66fb349a7baf066a1216d39989c3b89f18ec5108b96d9643baf4856778 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.