Early Access — Mondoo Vulnerability Intelligence is currently in preview.

UBUNTU-CVE-2025-32990

MEDIUM6.5

Published Jul 10, 2025

Modified 6 months ago

Fix available

Details

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Affected Packages

Ubuntu:Pro:16.04:LTSgnutls28

Affected versions:

3.3.15-5ubuntu23.3.18-1ubuntu13.3.20-1ubuntu13.4.10-4ubuntu13.4.10-4ubuntu1.13.4.10-4ubuntu1.23.4.10-4ubuntu1.33.4.10-4ubuntu1.43.4.10-4ubuntu1.53.4.10-4ubuntu1.6+5 more

Ubuntu:Pro:18.04:LTSgnutls28

Affected versions:

3.5.17-1ubuntu13.5.17-1ubuntu33.5.18-1ubuntu13.5.18-1ubuntu1.13.5.18-1ubuntu1.23.5.18-1ubuntu1.33.5.18-1ubuntu1.43.5.18-1ubuntu1.53.5.18-1ubuntu1.63.5.18-1ubuntu1.6+esm1+1 more

Ubuntu:Pro:20.04:LTSgnutls28

Affected versions:

3.6.10-53.6.11.1-23.6.11.1-2ubuntu23.6.13-2ubuntu13.6.13-2ubuntu1.13.6.13-2ubuntu1.103.6.13-2ubuntu1.113.6.13-2ubuntu1.123.6.13-2ubuntu1.23.6.13-2ubuntu1.3+6 more

Ubuntu:22.04:LTSgnutls28

Affected versions:

3.7.1-5ubuntu13.7.2-2ubuntu13.7.2-4ubuntu13.7.2-5ubuntu13.7.3-4ubuntu13.7.3-4ubuntu1.13.7.3-4ubuntu1.23.7.3-4ubuntu1.33.7.3-4ubuntu1.43.7.3-4ubuntu1.5+1 more

Fixed in:

3.7.3-4ubuntu1.7

Ubuntu:Pro:FIPS-preview:22.04:LTSgnutls28

Affected versions:

3.7.3-4ubuntu1.2+Fips1.1

Ubuntu:Pro:FIPS-updates:22.04:LTSgnutls28

Affected versions:

3.7.3-4ubuntu1.2+Fips1.13.7.3-4ubuntu1.3+Fips1.13.7.3-4ubuntu1.4+Fips13.7.3-4ubuntu1.5+Fips13.7.3-4ubuntu1.6+Fips1

Ubuntu:24.04:LTSgnutls28

Affected versions:

3.8.1-4ubuntu13.8.1-4ubuntu63.8.1-4ubuntu73.8.3-1.1ubuntu23.8.3-1.1ubuntu33.8.3-1.1ubuntu3.13.8.3-1.1ubuntu3.23.8.3-1.1ubuntu3.33.8.3-1ubuntu1

Fixed in:

3.8.3-1.1ubuntu3.4

Ubuntu:25.04gnutls28

Affected versions:

3.8.6-2ubuntu13.8.8-2ubuntu13.8.9-2ubuntu13.8.9-2ubuntu23.8.9-2ubuntu3

Fixed in:

3.8.9-2ubuntu3.1

Ubuntu:16.04:LTSgnutls28

Affected versions:

3.3.15-5ubuntu23.3.18-1ubuntu13.3.20-1ubuntu13.4.10-4ubuntu13.4.10-4ubuntu1.13.4.10-4ubuntu1.23.4.10-4ubuntu1.33.4.10-4ubuntu1.43.4.10-4ubuntu1.53.4.10-4ubuntu1.6+5 more

Ubuntu:18.04:LTSgnutls28

Affected versions:

3.5.17-1ubuntu13.5.17-1ubuntu33.5.18-1ubuntu13.5.18-1ubuntu1.13.5.18-1ubuntu1.23.5.18-1ubuntu1.33.5.18-1ubuntu1.43.5.18-1ubuntu1.53.5.18-1ubuntu1.63.5.18-1ubuntu1.6+esm1+1 more

Ubuntu:20.04:LTSgnutls28

Affected versions:

3.6.10-53.6.11.1-23.6.11.1-2ubuntu23.6.13-2ubuntu13.6.13-2ubuntu1.13.6.13-2ubuntu1.103.6.13-2ubuntu1.113.6.13-2ubuntu1.123.6.13-2ubuntu1.23.6.13-2ubuntu1.3+6 more

Ubuntu:FIPS-preview:22.04:LTSgnutls28

Affected versions:

3.7.3-4ubuntu1.2+Fips1.1

Ubuntu:FIPS-updates:22.04:LTSgnutls28

Affected versions:

3.7.3-4ubuntu1.2+Fips1.13.7.3-4ubuntu1.3+Fips1.13.7.3-4ubuntu1.4+Fips13.7.3-4ubuntu1.5+Fips13.7.3-4ubuntu1.6+Fips1

References

REPORThttps://access.redhat.com/security/cve/CVE-2025-32990 REPORThttps://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html REPORThttps://ubuntu.com/security/CVE-2025-32990 ADVISORYhttps://ubuntu.com/security/notices/USN-7635-1 REPORThttps://www.cve.org/CVERecord?id=CVE-2025-32990

CVSS Analysis

CVSS v3.1

6.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

LowA:L

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Upstream

CVE-2025-32990

USN-7635-1

Ecosystems

Ubuntu Pro 16.04 LTS Ubuntu Pro 18.04 LTS Ubuntu Pro 20.04 LTS Ubuntu 22.04 LTS Ubuntu Pro FIPS-preview 22.04 LTS Ubuntu Pro FIPS-updates 22.04 LTS Ubuntu 24.04 LTS Ubuntu 25.04 Ubuntu 16.04 LTS Ubuntu 18.04 LTS Ubuntu 20.04 LTS Ubuntu FIPS-preview 22.04 LTS Ubuntu FIPS-updates 22.04 LTS

Timeline

PublishedJul 10, 2025

ModifiedJul 15, 2025

UBUNTU-CVE-2025-32990 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2025-32990

Details

Affected Packages

References

CVSS Analysis

Upstream

Related

Ecosystems

Timeline