CVE-2025-9820: A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a toke...

Description

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

Metrics

CVSS 3.1

4/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

0.20%

10.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-121

References

Timeline

Published: Jan 26, 2026
Last Modified: Jun 25, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2025-9820?

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

How severe is CVE-2025-9820?

CVE-2025-9820 has a CVSS score of 4/10 (MEDIUM severity). The EPSS model estimates a 0.20% probability of exploitation in the next 30 days.

How do I fix CVE-2025-9820?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.