GNUTLS has released version 3.8.12 to fix two denial-of-service vulnerabilities that could crash servers or exhaust CPU resources, with the update published on 9 February 2026. The more severe issue, CVE-2026-1584, is a high-severity NULL pointer dereference during the TLS 1.3 resumption phase, triggered by a malformed ClientHello and an invalid PSK binder value.
The second vulnerability, CVE-2025-14831, is a medium-severity problem in how the library verifies names with pathological amounts of name constraints, which could also lead to resource exhaustion and an unresponsive server. The fixes involve updated code to guard against the problematic dereference and to improve processing of complex certificates, ensuring robust handling during the TLS handshake and certificate verification.
Administrators and developers relying on GnuTLS for secure communications are urged to update their libraries promptly to prevent potential service disruptions.