CVE-2026-5419 PUBLISHED

Guntls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal

Assigner: redhat
Reserved: 02.04.2026 Published: 01.06.2026 Updated: 02.06.2026

A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected unaffected from 0:3.8.10-4.el10_2 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Hardened Images
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4
Versions	Default: affected

Credits

Red Hat would like to thank Doria Tang (Stony Brook University) for reporting this issue.

References

Problem Types

Observable Timing Discrepancy CWE